More than two months after the original advisory went out, Siemens has released patches for a pair of critical vulnerabilities in some versions of its Simatic WinCC SCADA product that remained vulnerable.
Both of the vulnerabilities are remotely exploitable and have potentially damaging consequences for companies running affected versions of the product. One of the flaws allows attackers to execute arbitrary code and the other enables them to download files from the WinCC server.
“A component within WinCC could allow remote code execution for unauthenticated users if specially crafted packets are sent to the WinCC server,” the advisory from Siemens says.
WinCC is a SCADA server system that’s designed to run in a variety of critical environments, including energy, water, food and agriculture and chemical facilities. Siemens in November released patches for this vulnerability and one other in some versions of WinCC and two other affected products, the TIA Portal and PCS 7. However, some versions of WinCC and the other two components had not yet been patched.
Exploits for these vulnerabilities have been in circulation for several months and ICS-CERT warned in the fall that they were being used in an attack campaign targeting vulnerable installations.
The versions patched in the latest release include:
SIMATIC WinCC:
V7.0 SP3 and earlier versions
V7.2: All versions < V7.2 Update 9 o V7.3: All versions < V7.3 Update 2
SIMATIC PCS 7 (as WinCC is incorporated):
V7.1 SP4 and earlier versions
V8.0: All versions < V8.0 SP2 with WinCC V7.2 Update 9 o V8.1: All versions with WinCC V7.3 < Update 2
TIA Portal V13 (including WinCC Professional Runtime): All versions < V13 Update 6
The second vulnerability fixed in this release allows attackers to gain access to random files on the target systems.
“A component within WinCC could allow unauthenticated users to extract arbitrary files from the WinCC server if specially crafted packets are sent to the server,” the advisory says.