Full Report
Multiple versions of SIMATIC WinCC and SIMATIC PCS 7 do not properly handle certain requests to their web application (WinCC WebNavigator, PCS 7 Web Server, and PCS 7 Web Diagnostics Server), which may lead to the leak of privileged information. This could allow an unauthenticated remote attacker to retrieve information such as users and passwords. Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Information Disclosure in SIMATIC WinCC and PCS 7
## CVE Details
- **CVE ID:** CVE-2024-30321
- **CVSS Score:** 5.9 (Medium) via CVSS v3.1 / 8.2 (High) via CVSS v4.0
- **CWE:** CWE-359: Exposure of Private Personal Information to an Unauthorized Actor
## Affected Systems
- **Products:**
- SIMATIC PCS 7 (including Web Server and Web Diagnostics Server)
- SIMATIC WinCC (V7/V8 and WebNavigator)
- SIMATIC WinCC Runtime Professional
- **Versions:**
- SIMATIC PCS 7 V9.1: All versions < V9.1 SP2 UC05
- SIMATIC WinCC Runtime Professional V18: All versions < V18 Update 5
- SIMATIC WinCC Runtime Professional V19: All versions < V19 Update 2
- SIMATIC WinCC V7.4: All versions < V7.4 SP1 Update 23
- SIMATIC WinCC V7.5: All versions < V7.5 SP2 Update 17
- SIMATIC WinCC V8.0: All versions < V8.0 Update 5
- **Configurations:** Systems utilizing the web application components (e.g., WinCC WebNavigator).
## Vulnerability Description
Affected products fail to properly handle specific requests directed at their integrated web applications. This improper handling results in an information disclosure flaw where the application may leak privileged data. A technical exploit of this flaw allows for the unauthorized retrieval of sensitive credentials, including usernames and passwords.
## Exploitation
- **Status:** No reports of exploitation in the wild at this time; no public PoC currently cited in the advisory.
- **Complexity:** Low (CVSS v4.0) / High (CVSS v3.1)
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Retrieval of users and passwords)
- **Integrity:** None
- **Availability:** None
## Remediation
### Patches
Siemens recommends updating affected products to the following versions or later:
- **SIMATIC PCS 7 V9.1:** Update to V9.1 SP2 UC05
- **SIMATIC WinCC Runtime Professional V18:** Update to V18 Update 5
- **SIMATIC WinCC Runtime Professional V19:** Update to V19 Update 2
- **SIMATIC WinCC V7.4:** Update to V7.4 SP1 Update 23
- **SIMATIC WinCC V7.5:** Update to V7.5 SP2 Update 17
- **SIMATIC WinCC V8.0:** Update to V8.0 Update 5
### Workarounds
- **Restrict Access:** Limit access to the application web server to trusted users and known IP addresses only.
- **Environment Hardening:** Follow Siemens’ operational guidelines for Industrial Security and ensure the web server is not exposed to untrusted networks.
## Detection
- **Indicators of Compromise:** Unusual or unauthorized HTTP requests directed at the WinCC WebNavigator or PCS 7 Web Server endpoints.
- **Detection Methods:** Monitor web server logs for irregular request patterns or access from unexpected remote locations.
## References
- **Vendor Advisory:** [https://cert-portal.siemens.com/productcert/pdf/ssa-883918.pdf](https://cert-portal.siemens.com/productcert/pdf/ssa-883918.pdf)
- **Siemens Industrial Security Guidelines:** [https://www.siemens.com/cert/operational-guidelines-industrial-security](https://www.siemens.com/cert/operational-guidelines-industrial-security)