Siemens has released a software update for a DLL hijacking vulnerability in SIMATIC STEP 7 and SIMATIC PCS 7 software. Previous versions of SIMATIC STEP 7 and PCS 7 allowed the loading of malicious DLL files into the STEP 7 project folder that can be used to attack the system on which STEP 7 is installed. This vulnerability can be remotely exploited, as was the case with Stuxnet malware which was known to target this vulnerability. Siemens has produced a patch that resolves this vulnerability.
Note: This advisory, together with advisory “ICSA-12-205-01--Siemens WinCC Insecure SQL Authentication,” addresses vulnerabilities first discovered in 2010 in conjunction with the discovery of Stuxnet. This vulnerability was fixed in 2011 by Siemens through a security update.
The following Siemens products and versions are affected.
An attacker can execute arbitrary code by exploiting this vulnerability.
Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.
Siemens SIMATIC STEP 7 and PCS 7 software is used to configure and manage Siemens SIMATIC S7 PLCs. Siemens SIMATIC S7 PLCs are used in a variety of industrial applications worldwide, including energy, water and wastewater, oil and gas, chemical, building automation, and manufacturing.
DLL Loading Mechanism Vulnerability1
SIMATIC STEP 7 supports the loading of DLL files in STEP 7 project folders, which can be used within an attack against systems where STEP 7 is installed. An attacker can place arbitrary library files into STEP 7 project folders that will be loaded on STEP 7 startup without validation. The code will be executed with the permissions of the STEP 7 application.
This vulnerability can be remotely exploited.
Malware and public exploits are known to target this vulnerability.
An attacker with a medium skill level would be able to exploit these vulnerabilities.
Siemens has provided the STEP 7 software update V5.5 SP1 (equivalent to V5.5.1) that resolves the vulnerability, but recommends that the latest Service Pack, V5.5 SP2,2 be installed as soon as possible. SIMATIC PCS 7 users should also apply this update.
The updates implement a mechanism that rejects DLLs in the STEP 7 project folders, which contain executable code, thus preventing unintended execution of unchecked code. For further information please review the Siemens Security Advisory (SSA-110665) that can be found at the Siemens ProductCERT website.
ICS-CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.
The Control Systems Security Program (CSSP) also provides a section for control systems security recommended practices on the CSSP Web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
For any questions related to this report, please contact the CISA at:
Toll Free: 1-888-282-0870
For industrial control systems cybersecurity information: https://www.us-cert.gov/ics
or incident reporting: https://www.us-cert.gov/report
CISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.
This product is provided subject to this Notification and this Privacy & Use policy.
Was this document helpful? Yes | Somewhat | No