Siemens security updates – July 2016

Number: AV16-122
Date: July 28, 2016

Purpose

The purpose of this advisory is to bring attention to a SIMATIC security update for NET PC-Software, PCS 7, WinCC and WinCC Runtime Professional released by Siemens.

Assessment

Siemens released security updates for SIMATIC NET PC-Software, PCS 7, WinCC and WinCC Runtime Professional to address multiple vulnerabilities. A remote attacker could potentially exploit these vulnerabilities to perform arbitrary code execution or create denial of service conditions.

Affected versions:
SIMATIC NET PC-Software prior to V13 SP2
SIMATIC PCS v7.1 SP4 and earlier versions
SIMATIC PCS v8.0
SIMATIC PCS v8.1
SIMATIC PCS v8.2
SIMATIC WinCC v7.0 SP 2 and earlier versions
SIMATIC WinCC v7.0 SP 3
SIMATIC WinCC v7.2
SIMATIC WinCC v7.3 prior to Update 10,
SIMATIC WinCC v7.4 prior to Update 1
SIMATIC WinCC Runtime Professional prior to v13 SP 1 Update 9.

CVE References: CVE-2016-5743, CVE-2016-5744, CVE-2016-5874

Suggested action

CCIRC recommends that system administrators test and deploy the vendor-released updates to affected applications accordingly. For more information, please refer to the ICS-CERT references.

References

SIEMENS Security Advisory SSA-378531:
http://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-378531.pdf

ICS-CERT Advisory (ICSA-16-208-01):
https://ics-cert.us-cert.gov/advisories/ICSA-16-208-01

ICS-CERT Advisory (ICSA-16-208-02):
https://ics-cert.us-cert.gov/advisories/ICSA-16-208-02

Date modified: