Full Report
Affected products do not properly sanitize user-controllable input when parsing files. This could allow an attacker to cause a type confusion and execute arbitrary code within the affected application. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens recommends countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Session-Memory Deserialization Vulnerability in Siemens Engineering Platforms
## CVE Details
- CVE ID: CVE-2023-32736
- CVSS Score: 7.3 (High) [CVSS v3.1] / 7.0 (High) [CVSS v4.0]
- CWE: CWE-502: Deserialization of Untrusted Data
## Affected Systems
- Products:
- SIMATIC S7-PLCSIM (V16, V17)
- SIMOTION SCOUT TIA (V5.4 SP1)
- Totally Integrated Automation Portal (TIA Portal) (V16 and V17 mentioned, general TIA Portal also listed)
- SIMATIC STEP 7 Safety (V16)
- SIMATIC STEP 7 (V16)
- SIMATIC WinCC Unified (V16)
- SIMATIC WinCC (V16)
- SIMOCODE ES (V16)
- SINAMICS Startdrive (V16)
- TIA Portal Cloud (V16)
- Versions: All versions for most listed products (specifically those affected by CVE-2023-32736). The advisory references V16, V17, and V5.4 SP1.
- Configurations: Vulnerable when parsing user settings/files containing user-controllable input.
## Vulnerability Description
Affected Siemens engineering software fails to properly sanitize user-controllable input when parsing files (specifically user settings). This vulnerability, identified as a Deserialization of Untrusted Data flaw, could allow a remote or local attacker to trigger a **type confusion** condition, leading to the execution of arbitrary code within the context of the affected application.
## Exploitation
- Status: PoC available (Implied by high impact and CVSS vector E:P - Proof-of-Concept)
- Complexity: Low (CVSS v3.1 vector suggests AC:L - Low Attack Complexity)
- Attack Vector: Local (CVSS v3.1 vector suggests AV:L - Local)
## Impact
- Confidentiality: High (C:H)
- Integrity: High (I:H)
- Availability: High (A:H)
## Remediation
### Patches
The advisory indicates that for several specific product versions (e.g., S7-PLCSIM V16/V17, SIMOTION SCOUT TIA V5.4 SP1, TIA Portal V16, and several V16 components), **currently no fix is planned**.
Siemens recommends updating to the latest versions for products where fixes *are* available (details not fully enumerated in the truncated text, directing users to the full advisory).
### Workarounds
Siemens recommends countermeasures/workarounds for products where fixes are not, or not yet available. Users must consult the full Siemens advisory for specific mitigation strategies for unpatched products like TIA Portal V16 and associated V16 components.
## Detection
- Indicators of Compromise: Exploitation would likely involve unusual process behavior or crashes/exceptions related to file parsing within the listed engineering applications.
- Detection methods and tools: Monitoring file access to user settings/project files by untrusted entities. Application monitoring/integrity checks on the affected Siemens software installations.
## References
- Vendor Advisories:
- https://cert-portal.siemens.com/productcert/html/ssa-871035.html
- Relevant links - defanged:
- Siemens Advisory Home: https://www.siemens.com/cert/advisories
- Terms of Use: https://www.siemens.com/productcert/terms-of-use