CVE-2020-7580 Information

Description

A vulnerability has been identified in SIMATIC Automation Tool (All versions) SIMATIC NET PC software (All versions V16 V16 Upd3) SIMATIC PCS neo (All versions V3.0 SP1) SIMATIC ProSave (All versions) SIMATIC S7-1500 Software Controller (All versions) SIMATIC STEP 7 (All versions V5.6 SP2 HF3) SIMATIC STEP 7 (TIA Portal) V13 (All versions V13 SP2 Update 4) SIMATIC STEP 7 (TIA Portal) V14 (All versions) SIMATIC STEP 7 (TIA Portal) V15 (All versions) SIMATIC STEP 7 (TIA Portal) V16 (All versions V16 Update 2) SIMATIC WinCC OA V3.16 (All versions P018) SIMATIC WinCC OA V3.17 (All versions P003) SIMATIC WinCC Runtime Advanced (All versions V16 Update 2) SIMATIC WinCC Runtime Professional V13 (All versions V13 SP2 Update 4) SIMATIC WinCC Runtime Professional V14 (All versions) SIMATIC WinCC Runtime Professional V15 (All versions V15.1 Update 5) SIMATIC WinCC Runtime Professional V16 (All versions V16 Update 2) SIMATIC WinCC V7.4 (All versions V7.4 SP1 Update 14) SIMATIC WinCC V7.5 (All versions V7.5 SP1 Update 3) SINAMICS STARTER commissioning tool (All versions) SINAMICS Startdrive (All versions) SINEC NMS (All versions) SINEMA Server (All versions) SINUMERIK ONE virtual (All versions) SINUMERIK Operate (All versions). A component within the affected application regularly calls a helper binary with SYSTEM privileges while the call path is not quoted.

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Reference

https://cert-portal.siemens.com/productcert/pdf/ssa-312271.pdf https://www.us-cert.gov/ics/advisories/icsa-20-161-04

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction Required

HIGH

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

6.7