Full Report
SIMATIC WinCC V7 is affected by a vulnerability that could allow a local attacker to inject arbitrary code and escalate privileges, if a non-default installation path was chosen during installation. Siemens has released an update for SIMATIC WinCC and recommends to update to the latest version.
Analysis Summary
# Vulnerability: Local Code Execution via Improper Permissions in SIMATIC WinCC V7
## CVE Details
- CVE ID: CVE-2023-30897
- CVSS Score: 7.8 (High)
- CWE: CWE-732: Incorrect Permission Assignment for Critical Resource
## Affected Systems
- Products: SIMATIC WinCC
- Versions: All versions older than V7.5.2.13
- Configurations: When SIMATIC WinCC V7 is installed to a **non-default installation path**.
## Vulnerability Description
The vulnerability exists because affected applications fail to set proper access rights for their installation folder when a non-default installation path is chosen during setup. This improper permission assignment could allow a locally authenticated attacker to inject arbitrary code and subsequently escalate privileges on the affected system.
## Exploitation
- Status: The CVSS vector indicates the exploit maturity (E:P - Proof-of-Concept exists).
- Complexity: Low (AC:L)
- Attack Vector: Local (AV:L)
## Impact
- Confidentiality: High (C:H)
- Integrity: High (I:H)
- Availability: High (A:H)
## Remediation
### Patches
- Update SIMATIC WinCC to **V7.5.2.13 or a later version**.
### Workarounds
1. **Harden Access:** Harden the application server to prevent local access by untrusted personnel.
2. **Permission Correction:** After installation to a non-default folder, manually ensure that the access permissions of that folder are equal to the permissions of the default `Program Files` folder.
3. **Default Install:** Always use the default installation path when installing SIMATIC WinCC V7.
## Detection
- **Indicators of Compromise (IoCs):** Not explicitly listed, but related to unauthorized file modifications within the WinCC installation directory or unexpected process execution originating from that location.
- **Detection Methods and Tools:** Monitoring file system integrity (FIM) within the installation path for unauthorized modifications or creation of malicious binaries.
## References
- Vendor Advisory SSA-914026: hxxps://cert-portal.siemens.com/productcert/html/ssa-914026.html
- Siemens Support Update Link: hxxps://support.industry.siemens.com/cs/ww/en/view/109793460/
- CVSS Vector Reference: hxxps://www.first.org/cvss/
- CWE Reference: hxxps://cwe.mitre.org/