Full Report
SIMATIC STEP 7 and PCS 7 contain a database management system that could allow remote users to use embedded functions of the database (local or in a network share) that have impact on the server. An attacker with network access to the server network could leverage these embedded functions to run code in the database management system’s server (where STEP 7 or PCS 7 are running). Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Remote Code Execution via Embedded Database Functions in SIMATIC STEP 7/PCS 7
## CVE Details
- CVE ID: CVE-2023-25910
- CVSS Score: 10.0 (Critical)
- CWE: CWE-94: Improper Control of Generation of Code ('Code Injection')
## Affected Systems
- Products: SIMATIC PCS 7, SIMATIC S7-PM, SIMATIC STEP 7 V5
- Versions:
- SIMATIC PCS 7: All versions < V9.1 SP2 UC04
- SIMATIC S7-PM: All versions < V5.7 SP1 HF1 and all versions < V5.7 SP2 HF1
- SIMATIC STEP 7 V5: All versions < V5.7
- Configurations: Requires network access to the server network.
## Vulnerability Description
The affected software packages include a database management system. A remote, low-privileged attacker who has network access to the server network can exploit this flaw by using embedded functions within the database (which may utilize local or network shares). Successful exploitation allows the attacker to run code with elevated privileges on the server hosting the database management system (where STEP 7 or PCS 7 is running).
## Exploitation
- Status: PoC available (Implied by high CVSS score/description, although not explicitly stated as 'Publicly Exploited', the CVSS vector indicates known exploitation potential: E:P - Proof of Concept exists).
- Complexity: Low (AC:L - Attack Complexity Low)
- Attack Vector: Network (AV:N)
## Impact
- Confidentiality: High (C:H)
- Integrity: High (I:H)
- Availability: High (A:H)
## Remediation
### Patches
- **SIMATIC PCS 7:** Update to V9.1 SP2 UC04 or later.
- **SIMATIC S7-PM:**
- Update to V5.7 SP1 HF1 or later (for versions < V5.7 SP1 HF1).
- Update to V5.7 SP2 HF1 or later (for versions < V5.7 SP2 HF1).
- **SIMATIC STEP 7 V5:** Update to V5.7 or later.
### Workarounds
1. **Network Restriction:** If multiple Engineering Systems are in use, limit remote access to **port 2638/tcp** to trusted systems only.
2. **User Restriction:** If multiple Engineering Systems are in use, ensure user accounts are restricted to the minimum required operating rights.
3. **Single Terminal Mode:** If only one Engineering System is in use, consider switching to "Single terminal system" mode in the "Configure SIMATIC Workspace/Workstation" application, under the "Workstation Configuration" tab, followed by a system restart.
4. **Migration for S7-PM:** Alternatively for affected S7-PM versions, consider migrating the STEP 7 project to the latest version of TIA Portal and uninstalling S7-PM.
## Detection
- **Indicators of Compromise:** Look for unauthorized execution of functions associated with the database management system or unusual process activity originating from the database service on the server.
- **Detection Methods and Tools:** Network monitoring focused on ingress traffic to port 2638/tcp from untrusted sources, especially traffic attempting to invoke database functions.
## References
- Siemens Advisory: SSA-968170
- Siemens Operational Guidelines: hxxps://www.siemens.com/cert/operational-guidelines-industrial-security
- FAQ on Workarounds: hxxps://support.industry.siemens.com/cs/ww/en/view/109821340/