Full Report
Siemens has released a new version of STEP 7 (TIA Portal) that fixes an information disclosure vulnerability. A local attacker could gain access to the access level password of the SIMATIC S7-1200 and S7-1500 CPUs, when entered by a legitimate user in the hardware configuration of the affected application.
Analysis Summary
# Vulnerability: Information Disclosure in SIMATIC STEP 7 (TIA Portal)
## CVE Details
- **CVE ID:** CVE-2022-46141
- **CVSS Score:** 4.2 (Medium)
- **CWE:** CWE-316: Cleartext Storage of Sensitive Information in Memory
## Affected Systems
- **Products:** SIMATIC STEP 7 (TIA Portal)
- **Versions:** All versions prior to V19
- **Configurations:** Systems where hardware configurations for SIMATIC S7-1200 and S7-1500 CPUs are being managed.
## Vulnerability Description
An information disclosure vulnerability exists in the way SIMATIC STEP 7 (TIA Portal) handles sensitive data in memory. When a legitimate user enters an access level password for SIMATIC S7-1200 or S7-1500 CPUs within the hardware configuration module, the application may store this information in a manner accessible to other local processes. Specifically, the weakness relates to the cleartext storage of sensitive information in memory (CWE-316).
## Exploitation
- **Status:** PoC available (indicated by CVSS "Exploit Code Maturity: Functional" - E:P)
- **Complexity:** Low
- **Attack Vector:** Local (Attacker must have local access to the workstation where TIA Portal is running)
- **Required Privileges:** High (PR:H)
- **User Interaction:** Required (UI:R) - A legitimate user must enter the password in the hardware configuration during the attacker's observation period.
## Impact
- **Confidentiality:** High (Access level passwords for industrial controllers can be compromised)
- **Integrity:** None (Directly from this vulnerability)
- **Availability:** None (Directly from this vulnerability)
## Remediation
### Patches
Siemens recommends updating to the latest version of the engineering software:
- **SIMATIC STEP 7 (TIA Portal) V19:** Update to V19 or later.
- Download Link: [hxxps://support.industry.siemens.com/cs/ww/en/view/109820994/]
### Workarounds
No specific software workaround is provided other than upgrading. However, general security mitigations include:
- Restrict physical and interactive local access to engineering workstations to authorized personnel only.
- Follow General Security Recommendations for Industrial Security to protect the environment where engineering tasks are performed.
## Detection
- **Indicators of compromise:** Presence of unauthorized tools or processes monitoring memory strings on the TIA Portal workstation.
- **Detection methods and tools:** Use Endpoint Detection and Response (EDR) tools to monitor for suspicious processes attempting to read the memory space of the TIA Portal application (e.g., `TIA Portal.exe`).
## References
- **Siemens Security Advisory (SSA-887801):** [hxxps://cert-portal.siemens.com/productcert/pdf/ssa-887801.pdf]
- **Siemens Industrial Security Home:** [hxxps://www.siemens.com/industrialsecurity]
- **Operational Guidelines for Industrial Security:** [hxxps://www.siemens.com/cert/operational-guidelines-industrial-security]