Siemens TIA Portal Insecure File Permissions · 2020-06-11 · • TIA Portal v14: All versions • TIA Portal v15: All versions prior to v15.1 Update 4 • TIA Portal v16: All versions

Siemens TIA Portal Insecure File Permissions Author: William Knowles

Release Date: 20 April 2020

AR2020004 Industrial Security Advisory

Copyright notice Copyright © 2020 by Applied Risk BV. All rights reserved.

Overview A vulnerability was identified within Siemens Totally Integrated Automation (TIA) Portal, which

would allow an attacker to modify the system-wide configuration, and subsequently elevate their privileges. This vulnerability arose through insecure file permissions.

Affected products The following versions were affected:

• TIA Portal v14: All versions

• TIA Portal v15: All versions prior to v15.1 Update 4

• TIA Portal v16: All versions

Impact An attacker with access to the underlying operating system as a low privileged user could abuse the weak permissions for a multitude of damaging effects. Most notably this would allow an attacker to force a service to load an arbitrary DLL, which would grant them full administrative control over the host.

Background Siemens TIA is used for the programming of a multitude of industrial devices, including Programmable Logic Controllers (PLCs) and Human Machine Interfaces (HMIs).

Vulnerability details Insecure File Permissions

Files relating to the system-wide Siemens TIA Portal configuration could be modified by low privileged users.

Applied Risk has calculated a CVSSv3 score of 7.8 for this vulnerability. The CVSS vector

string is AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

Mitigation Siemens recommends installing the following software update to address this vulnerability:

• TIA Portal V15: Update to v15.1 Update 4

Siemens has also identified the following specific workarounds and mitigations users can apply to reduce the risk:

• Remove write permissions for every non-administrative user on files and folders located below the “TraceEngine” folder (usually located at

“C:\ProgramData\Siemens\Automation”).

References Vendor website: https://new.siemens.com/global/en.html

Product page: https://new.siemens.com/global/en/products/automation/industry-software/automation-software/tia-portal.html

ICS-CERT Disclosure: https://www.us-cert.gov/ics/advisories/icsa-20-014-05

Contact details

For any questions related to this report, please contact Applied Risk Research team at:

Email: [email protected]

PGP Public Key:

-----BEGIN PGP PUBLIC KEY BLOCK----- mQINBF60 58BEAC7QCOrYGBb cxL6 uG8IViZUIbBhTZaMHgWVniCk6iKCQlkXMu

IX12bVAoCfp1 XbIZAZaXo5GrlK2yGtgyd11lQKHYx0TxnX52eKkmsW/fRzgNg/M YXtNb7UDB6IqAPAASwdME5ljfvkhVRhuVbvp//W8dJlJntbXf1kNKzaRdNbj7js5

c9TdSplYepTUkoICPLXC5Ewdzt0keG65Wh5Ia5dApUOzeHOXy61mUUxp2gutg2tb KAr

oT2s5Lg9Drte1YVvuVrCdx9qQVkG DS5 YA7NCK7R30okNFyQjv0njP1o52X VxODdQDN0N7fbi3PxY3jf2rR aFK8HDTlEWLwzxF4IsSUyBi8Ay lRgiqdrpJZUp

qZp/PsF5IotGFlAkQ5uGRaXQiSIZimt41EqmERBF8kI5eGfr0 fxNz381fo 49tT nHbg83b3uO3b CMxbnETwCqz28gW7 T/luC sPrXEWf0xTkCxx6s/eKx8c5CeNU4

naW3K26BqxxnZx8ivnR4K26s49t22qN6ytVa97AKn4lWUhylZLpuPnyny8BxgdLq WisfHPkCMqAqd3aFFl7ojec5C6vo2itjQndu1t9WvxHBYPhdfCsFzaskwC785l8G

2ODFPtB/qqgRGHi7oasTWTMZqiBCDnHFHI0pBcE6V2vhsROOQ9a7fVslnwARAQAB tDZBcHBsaWVkIFJpc2sgUmVzZWFyY2ggVGVhbSA8cmVzZWFyY2hAYXBwbGllZC1y

aXNrLmNvbT6JAlQEEwEIAD4WIQTjnAO548Ik5yBy0GjU5ufLpgaBRAUCXrT7nwIb AwUJB4YfgAULCQgHAgYVCgkICwIEFgIDAQIeAQIXgAAKCRDU5ufLpgaBRPGSD/sF

KZX1ORVEAtDAf40O PACb4sx7PB 9gy JPxYzSIg1uux1icVyWLtNMxkOmlPWRGm

fQJgl0Xu38p9 1QILX9qnzw4Av9GsjRjKIOVY9z8J/vhZUy15WkHa3 vMjNHOaW3 s9NAr HCBnHAxPDWSyRpdqKwvOrrAHN6PI5vZl/Y7YR3dMtZcjHNPEgrN0hBnzK1

p4w85XPCzp1MNSQZAetQ/qrosAuX236ZzO0MCvoIank0p2ecukWDFiyqk3tKA3Nj LjGK9K/Ek7Mfn693EsHg6I/K5lLwxXaUvhEFUBT0P0zvCiKH GKCi6atE 4S3QfN

wVBXM2XXT0K8BMQBEizkjOhrHPtE/x8IKsao Qd/IqT8/hiPEoH7Sq5D3tDXK5wt GmYX2yDTBHImdJQXS4c5u1mYsfaiAFrAfK6MwjutRPdBjl1m4UQyFwyYISdNpTRn

Hv2j9chhNS4 eMah0a0huZK/sjuQx6WUqGKVvcbpgT1RfioREXwr6MXclOZ3T z0 c2yisOrDeEMPC61Gqx9Es0SABiTT838mDVZ7ZxtxzvvITWaNVEfSlFYG6Dg3hv3j

IFeKb2O7kGpH8Qx9wRTjE8ce1e4LWAfbV2AyfESUCfGTl3NAxYADwQ6C4c0bhcMK S8fZ bEo5TMnLnWeXz2Jy1IY 2h3nKSwBVjV lbAaLkCDQRetPufARAAy3F4JnkE T36/ntHR

/7Eml1qZxKse9lnsecd7uUtMIauU1DDVbSqMTW738GmNwlzbLTTp5yU

0C7X4ChwubVupX8B5Lu3PcAX3u9I/nk77j Vi2 5zU4QWXaD1nq1Htzos866HHzl L79dRawp0bgYD8QVPDRD8nW4yXnYQ/TNeLlKV8GGHN5sSh4jdvWRe S1ShKD5JaK

8EAJm7zdG1RphckrpgGzYOAKIBh2hTirnPH2VPYZxxGjPh0q16DWkUWE0YG8RD9l 99PNvx9FuPZ8SSRKGlxbbzldtr6XrTKfORi1iKAip3scNiahF4AMcJYWjOVetRbN

eJUwCmCWzwOnHyKGuFn3GTPgjS17wAk1ZTtRx4aaBjvy37sxTtmAzgcnfP27JEtN VQTBVKmIoICwXW2QnXLM/gsZzyeKd4mPUJHl2xmDc u2IklMycUNaFszahCszMXD

eGFnEmdZBxQkg7Ftxsqa1 Yn2IV PUoZm6uKGdRKokx7c98xnYEDVEiLLa5zCfF pdYFrXw0XSppgNocT36V01f6e7KlNbTMfeFMBbjcWtX6dtckFtyhDWg871jLFEQX

3liZmAcyn6pKJYdSgsgcy2vtI4rvDOZlxPGYtJ/gG/mlAOW45AHDnAKIcUnebmM4 W146XUc1KS0MtZRiubjsQHuh sMQrjfaj2cAEQEAAYkCPAQYAQgAJhYhBOOcA7nj

wiTnIHLQaNTm58umBoFEBQJetPufAhsMBQkHhh AAAoJENTm58umBoFE2oIP/2cC

quMsxrnuVrBEBe Xn6c6LtX/QGhIIY 3n4mIav7mBFJgM/U 5Qzzr9Gq3G3u8nJI cobx6wjayll00UJJ5OMgBK8/WrJX6M6vxZDe4UOn5SUJ0XSxGcqmK0aVpLq3gtuT QHco

RqixB4Sa4Q97xY0YY24boYY3Ff35tfmIbxzIWsUnhTodUxPaxGH9z1etZXb S/k9d9IfvDk4ef/uUS ICFsCAgrQJU82OZC/SN3RUnCPqu0Y3Ws6NP9qox9hdHl/

ID/ShqwBqpBQigOEQY/kiTZZoizQ9lD561ycr5e8X0CWLHdV7PKawt86PD2Kt70g PNKt65G9reYUArob1nk P4fSuPkZUAW2OUyTCaJsenNfsfyj5LH/Xt98CucB3VtX

g1AZf8sIypymLeI08EppN 8XXO29MaaDAH/VH9KlM9XenYZToBNL03r2OuRx5 W M74IQ4IrzrfO523f quzPNZRwGYAtM8vz6AyMPAs4TJI2NBSLuMcsEWC63BogUdn

eOb7JvoJRQddKhLcxEKO/mzoR2U/BcGlmT RoN0l4UUNvl8ED0uoKo1lId3hOq3A 1EPlVaptdeTqtm0r7c4Ppf22keOxd/2fZpJYAvdj2H 0s GDqWdErpZPT37QNvzU

U9bSu1uC/ByQhMhi3b8KWx2c37Hq9DCDK8pyQxSQ =f5ps

-----END PGP PUBLIC KEY BLOCK-----

Documents

Siemens TIA Portal Insecure File Permissions · 2020-06-11 · • TIA Portal v14: All versions • TIA Portal v15: All versions prior to v15.1 Update 4 • TIA Portal v16: All versions