CVE-2019-10935 in SIMATIC PCS 7
Summary
by MITRE
A vulnerability has been identified in SIMATIC PCS 7 V8.0 and earlier (All versions), SIMATIC PCS 7 V8.1 (All versions), SIMATIC PCS 7 V8.2 (All versions < V8.2 SP1 with WinCC V7.4 SP1 Upd11), SIMATIC PCS 7 V9.0 (All versions < V9.0 SP2 with WinCC V7.4 SP1 Upd11), SIMATIC WinCC Professional (TIA Portal V13) (All versions), SIMATIC WinCC Professional (TIA Portal V14) (All versions), SIMATIC WinCC Professional (TIA Portal V15) (All versions), SIMATIC WinCC Runtime Professional V13 (All versions), SIMATIC WinCC Runtime Professional V14 (All versions), SIMATIC WinCC Runtime Professional V15 (All versions), SIMATIC WinCC V7.2 and earlier (All versions), SIMATIC WinCC V7.3 (All versions), SIMATIC WinCC V7.4 (All versions < V7.4 SP1 Upd 11), SIMATIC WinCC V7.5 (All versions < V7.5 Upd 3). The SIMATIC WinCC DataMonitor web application of the affected products allows to upload arbitrary ASPX code. The security vulnerability could be exploited by an authenticated attacker with network access to the WinCC DataMonitor application. No user interaction is required to exploit this vulnerability. The vulnerability impacts confidentiality, integrity, and availability of the affected device. At the stage of publishing this security advisory no public exploitation is known.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 10/26/2023
This vulnerability resides within the SIMATIC WinCC DataMonitor web application component of Siemens industrial automation software, specifically affecting multiple versions of PCS 7 and WinCC products across different TIA Portal versions. The flaw represents a critical path traversal and code execution vulnerability that allows authenticated attackers with network access to upload arbitrary ASPX code directly to the web server. This represents a fundamental failure in input validation and file upload restrictions within the web application layer, creating an attack surface that could be exploited to gain remote code execution capabilities on the affected systems. The vulnerability affects a broad range of Siemens industrial control systems that rely on the WinCC platform for monitoring and control operations, making it particularly concerning for operational technology environments.
The technical exploitation of this vulnerability occurs through the DataMonitor web application's file upload functionality, which lacks proper validation of uploaded files. An authenticated attacker can leverage this weakness to upload malicious ASPX web shell files that execute arbitrary code on the target system with the privileges of the web application process. This type of vulnerability aligns with CWE-434, which describes insecure file upload vulnerabilities where applications accept files without proper validation, and falls under the ATT&CK technique T1190 for Exploit Public-Facing Application. The lack of user interaction requirement makes this particularly dangerous as attackers can exploit the vulnerability without needing to deceive users through social engineering or other indirect methods, directly targeting the web application interface.
The operational impact of this vulnerability extends beyond simple code execution to compromise the confidentiality, integrity, and availability of industrial control systems. Attackers could potentially gain persistent access to critical infrastructure monitoring systems, allowing them to manipulate control data, exfiltrate sensitive operational information, or disrupt system availability through various attack vectors including denial of service or data corruption. The affected products span multiple versions of Siemens' industrial automation software, indicating this is likely a widespread architectural issue rather than a single isolated defect. Organizations using these systems face risks to their operational technology infrastructure, potentially affecting production processes, safety systems, and overall industrial control operations. The vulnerability's presence in both development and runtime environments means that both system administrators and end users could be at risk, creating a broad attack surface that could impact critical manufacturing and process control operations.
Organizations should implement immediate mitigations including restricting network access to the WinCC DataMonitor application, implementing proper authentication controls, and applying available vendor patches. The vulnerability requires authentication, so strengthening authentication mechanisms and limiting access to authorized personnel only can significantly reduce risk exposure. Network segmentation should be implemented to isolate the affected applications from general network access, while monitoring for suspicious file upload activities and anomalous web application behavior should be enabled. Regular security assessments of industrial control systems should be conducted to identify similar vulnerabilities in other components of the automation infrastructure. Given the nature of industrial environments, organizations should also consider implementing application whitelisting and file integrity monitoring solutions to detect unauthorized code execution attempts. The vulnerability's impact on multiple TIA Portal versions indicates that comprehensive patch management strategies should be implemented across all affected systems to ensure complete protection against this and similar threats.