Description
A vulnerability has been identified in SIMATIC NET PC Software V14 (All versions), SIMATIC NET PC Software V15 (All versions), SIMATIC PCS 7 V8.2 (All versions), SIMATIC PCS 7 V9.0 (All versions), SIMATIC PCS 7 V9.1 (All versions), SIMATIC WinCC (All versions < V8.0), SINAUT Software ST7sc (All versions). Before SIMATIC WinCC V8, legacy OPC services (OPC DA (Data Access), OPC HDA (Historical Data Access), and OPC AE (Alarms & Events)) were used per default. These services were designed on top of the Windows ActiveX and DCOM mechanisms and do not implement state-of-the-art security mechanisms for authentication and encryption of contents.
CVSS breakdown
CVSS 3.1
Attack Vector
Adjacent
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low
E
Physical
RL
O
RC
Changed
Affected products
- Siemens / SIMATIC NET PC Software V14All versions – All versions
- Siemens / SIMATIC NET PC Software V15All versions – All versions
- Siemens / SIMATIC PCS 7 V8.2All versions – All versions
- Siemens / SIMATIC PCS 7 V9.0All versions – All versions
- Siemens / SIMATIC PCS 7 V9.1All versions – All versions
- Siemens / SIMATIC WinCCAll versions < V8.0 – All versions < V8.0
- Siemens / SINAUT Software ST7scAll versions – All versions