|2017-11-02||Other||Siemens||Sergey Temnikov and Vladimir Dashchenko of Kaspersky Labs reported the vulnerability to Siemens.
# Siemens SIMATIC PCS 7
### VULNERABLE VENDOR
### VULNERABLE PRODUCT
SIMATIC PCS 7
Sergey Temnikov and Vladimir Dashchenko of Kaspersky Labs reported the vulnerability to Siemens.
### AFFECTED PRODUCTS
The following versions of SIMATIC PCS 7, a distributed control system, are affected:
V8.1 prior to V8.1 SP1 with WinCC V7.3 Upd 13, and
V8.2 all versions.
Successful exploitation of this vulnerability could allow a remote authenticated attacker to crash services on the devices.
### VULNERABILITY OVERVIEW
IMPROPER INPUT VALIDATION CWE-20
The improper input validation vulnerability has been identified, which may allow an authenticated remote attacker who is a member of the administrators group to crash services by sending specially crafted messages to the DCOM interface.
CVE-2017-14023 has been assigned to this vulnerability.
A CVSS v3 base score of 4.9 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)
Critical Infrastructure Sectors: Chemical, Energy, Food and Agriculture, and Water and Wastewater Systems
Countries/Areas Deployed: Worldwide
Company Headquarters Location: Germany
Siemens has released the following updates:
V8.1: Update to V8.1 SP1 with WinCC V7.3 Upd 13 which can be obtained from:
Siemens is currently working on updates for the remaining affected versions and recommends that affected users:
Apply cell protection concept,
Use VPN for protecting network communication between cells, and
Siemens also strongly recommends that users protect network access to the SIMATIC PCS 7 with appropriate mechanisms by configuring the environment according to operation guidelines that can be found at:
For more information on this vulnerability and more detailed mitigation instructions, please see Siemens Security Advisory SSA-523365 at the following location: