Siemens SIMATIC WinCC / PCS 7 Multiple Vulnerabilities
Release Date: 2013-03-18
Last Update : 2013-03-29
Criticality level : Highly critical
Impact : Security Bypass
Exposure of sensitive information
Where : From remote
Solution Status: Vendor Patch
RegReader ActiveX Control
Siemens SIMATIC PCS 7 7.x
Siemens SIMATIC WinCC 7.x
A security issue and multiple vulnerabilities have been reported in Siemens SIMATIC WinCC and PCS 7, which can be exploited by malicious users to bypass certain security restrictions and by malicious people to disclose certain sensitive data, cause a DoS (Denial of Service), and potentially compromise a user's system.
1) The application does not properly restrict users access to the embedded MS SQL database, which can be exploited to e.g. gain knowledge of otherwise restricted password fields.
2) Input passed via unspecified URL parameters is not properly sanitised before being used to read files. This can be exploited to disclose contents of arbitrary files via directory traversal sequences.
3) An unspecified error in the RegReader ActiveX control can be exploited to cause a buffer overflow.
Successful exploitation of this vulnerability may allow execution of arbitrary code.
4) An error when parsing project files can be exploited to e.g. disclose certain sensitive data or cause a DoS (Denial of Service) by tricking a user into opening a specially crafted project file.
5) An error when handling certain network packets in the WinCC central communications component (CCEServer) can be exploited to cause a buffer overflow and trigger a DoS condition.
The security issue and the vulnerabilities are reported in the following products:
* Siemens SIMATIC WinCC 7.0 SP3 Update1 and prior.
* Siemens SIMATIC PCS 7 versions prior to 8.0 SP1.
Provided and/or discovered by:
1-4) Gleb Gritsai, Sergey Bobrov, Roman Ilin, Artem Chaykin, Timur Yunusov, Ilya Karpov, Alexey Osipov, Sergey Gordeychik, and Dmitry Nagibin, Positive Technologies.
5) Reported by the vendor.
Was this reply helpful? (0) (0)