Description Preview
A security vulnerability has been identified in multiple Siemens industrial automation products including SIMATIC PCS 7, SIMATIC PDM, SIMATIC STEP 7, and SINAMICS STARTER. The issue stems from incorrect write permissions on a directory containing metafiles that are relevant to device configurations. An attacker with access to the affected system could exploit this vulnerability by modifying the content of these metafiles, which would subsequently allow them to manipulate parameters or alter the behavior of devices that are later configured using the affected software. This could potentially lead to unauthorized configuration changes and compromise the integrity of industrial control systems.
Overview
The vulnerability affects multiple Siemens industrial automation products, specifically:
- SIMATIC PCS 7 V8.2 and earlier (All versions)
- SIMATIC PCS 7 V9.X (All versions < V9.1 SP2)
- SIMATIC PDM (All versions < V9.2 SP2)
- SIMATIC STEP 7 V5.X (All versions < V5.7)
- SINAMICS STARTER (containing STEP 7 OEM version) (All versions < V5.4 SP2 HF1)
The core issue is that a directory containing configuration metafiles has incorrect write permissions, allowing unauthorized modification of these files. If exploited, an attacker could alter device parameters or change the behavior of industrial devices when they are configured using the affected software. This vulnerability could potentially impact the integrity and reliability of industrial control systems, leading to unexpected behavior or operational disruptions in industrial environments.
Remediation
To mitigate this vulnerability, Siemens recommends the following actions:
-
Update to the latest software versions:
- SIMATIC PCS 7: Update to V9.1 SP2 or later
- SIMATIC PDM: Update to V9.2 SP2 or later
- SIMATIC STEP 7 V5.X: Update to V5.7 or later
- SINAMICS STARTER: Update to V5.4 SP2 HF1 or later
-
If immediate updates are not possible:
- Restrict access to the affected systems to trusted personnel only
- Implement network segmentation to isolate the affected systems
- Monitor for any unauthorized changes to configuration files
- Follow defense-in-depth security practices for industrial control systems
-
Review the Siemens Security Advisory SSA-661034 for detailed patching instructions and additional mitigation strategies.
References
- Siemens Security Advisory SSA-661034: https://cert-portal.siemens.com/productcert/pdf/ssa-661034.pdf
- MITRE CVE-2021-31894: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31894
- Siemens ProductCERT: https://cert-portal.siemens.com/productcert/
Industry ExposureMost to leastThis section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.
This section illustrates the prevalence of a specific Common Vulnerabilities and Exposures (CVE) across various industries based on customer reports. The ranking displays industries from the most to least affected by this particular vulnerability, offering valuable insight into where this CVE has been most frequently observed. This information can help organizations within these sectors prioritize their security efforts, understand their relative risk exposure compared to their peers, and focus remediation strategies where they are most needed. By understanding the industry-specific impact, organizations can make more informed decisions regarding patching, resource allocation, and overall risk management related to this CVE.
- ManufacturingManufacturing
- Health Care & Social AssistanceHealth Care & Social Assistance
- Professional, Scientific, & Technical ServicesProfessional, Scientific, & Technical Services
- Accommodation & Food ServicesAccommodation & Food Services
- Administrative, Support, Waste Management & Remediation ServicesAdministrative, Support, Waste Management & Remediation Services
- Agriculture, Forestry Fishing & HuntingAgriculture, Forestry Fishing & Hunting
- Arts, Entertainment & RecreationArts, Entertainment & Recreation
- ConstructionConstruction
- Educational ServicesEducational Services
- Finance and InsuranceFinance and Insurance
- InformationInformation
- Management of Companies & EnterprisesManagement of Companies & Enterprises
- MiningMining
- Other Services (except Public Administration)Other Services (except Public Administration)
- Public AdministrationPublic Administration
- Real Estate Rental & LeasingReal Estate Rental & Leasing
- Retail TradeRetail Trade
- Transportation & WarehousingTransportation & Warehousing
- UtilitiesUtilities
- Wholesale TradeWholesale Trade
