Number: AV16-122
Date: July 28, 2016
Purpose
The purpose of this advisory is to bring attention to a SIMATIC security update for NET PC-Software, PCS 7, WinCC and WinCC Runtime Professional released by Siemens.
Assessment
Siemens released security updates for SIMATIC NET PC-Software, PCS 7, WinCC and WinCC Runtime Professional to address multiple vulnerabilities. A remote attacker could potentially exploit these vulnerabilities to perform arbitrary code execution or create denial of service conditions.
Affected versions:
SIMATIC NET PC-Software prior to V13 SP2
SIMATIC PCS v7.1 SP4 and earlier versions
SIMATIC PCS v8.0
SIMATIC PCS v8.1
SIMATIC PCS v8.2
SIMATIC WinCC v7.0 SP 2 and earlier versions
SIMATIC WinCC v7.0 SP 3
SIMATIC WinCC v7.2
SIMATIC WinCC v7.3 prior to Update 10,
SIMATIC WinCC v7.4 prior to Update 1
SIMATIC WinCC Runtime Professional prior to v13 SP 1 Update 9.
CVE References: CVE-2016-5743, CVE-2016-5744, CVE-2016-5874
Suggested action
CCIRC recommends that system administrators test and deploy the vendor-released updates to affected applications accordingly. For more information, please refer to the ICS-CERT references.
References
SIEMENS Security Advisory SSA-378531:
http://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-378531.pdf
ICS-CERT Advisory (ICSA-16-208-01):
https://ics-cert.us-cert.gov/advisories/ICSA-16-208-01
ICS-CERT Advisory (ICSA-16-208-02):
https://ics-cert.us-cert.gov/advisories/ICSA-16-208-02