CVE-2020-7580

A vulnerability has been identified in SIMATIC Automation Tool (All versions < V4 SP2), SIMATIC NET PC Software V14 (All versions < V14 SP1 Update 14), SIMATIC NET PC Software V15 (All versions), SIMATIC NET PC Software V16 (All versions < V16 Upd3), SIMATIC PCS neo (All versions < V3.0 SP1), SIMATIC ProSave (All versions < V17), SIMATIC S7-1500 Software Controller (All versions < V21.8), SIMATIC STEP 7 (TIA Portal) V13 (All versions < V13 SP2 Update 4), SIMATIC STEP 7 (TIA Portal) V14 (All versions < V14 SP1 Update 10), SIMATIC STEP 7 (TIA Portal) V15 (All versions < V15.1 Update 5), SIMATIC STEP 7 (TIA Portal) V16 (All versions < V16 Update 2), SIMATIC STEP 7 V5 (All versions < V5.6 SP2 HF3), SIMATIC WinCC OA V3.16 (All versions < V3.16 P018), SIMATIC WinCC OA V3.17 (All versions < V3.17 P003), SIMATIC WinCC Runtime Advanced (All versions < V16 Update 2), SIMATIC WinCC Runtime Professional V13 (All versions < V13 SP2 Update 4), SIMATIC WinCC Runtime Professional V14 (All versions < V14 SP1 Update 10), SIMATIC WinCC Runtime Professional V15 (All versions < V15.1 Update 5), SIMATIC WinCC Runtime Professional V16 (All versions < V16 Update 2), SIMATIC WinCC V7.4 (All versions < V7.4 SP1 Update 14), SIMATIC WinCC V7.5 (All versions < V7.5 SP1 Update 3), SINAMICS STARTER (All Versions < V5.4 HF2), SINAMICS Startdrive (All Versions < V16 Update 3), SINEC NMS (All versions < V1.0 SP2), SINEMA Server (All versions < V14 SP3), SINUMERIK ONE virtual (All Versions < V6.14), SINUMERIK Operate (All Versions < V6.14). A common component used by the affected applications regularly calls a helper binary with SYSTEM privileges while the call path is not quoted. This could allow a local attacker to execute arbitrary code with SYTEM privileges.

CVSS v3.0 6.7 MEDIUM
CVSS v2.0 7.2 HIGH

6.7^/10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.8 / Impact : 5.9

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

7.2^/10

CVSS v2.0 : HIGH

V2 Legend

Vector : AV:L/AC:L/Au:N/C:C/I:C/A:C

Exploitability : 3.9 / Impact : 10.0

Access Vector LOCAL

Access Complexity LOW

Authentication NONE

Confidentiality Impact COMPLETE

Integrity Impact COMPLETE

Availability Impact COMPLETE

References

Link	Resource
https://cert-portal.siemens.com/productcert/pdf/ssa-312271.pdf	Vendor Advisory
https://us-cert.cisa.gov/ics/advisories/icsa-20-161-04	Third Party Advisory US Government Resource

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:siemens:simatic_pcs_7::::::::
	cpe:2.3:a:siemens:simatic_wincc:7.4:sp1::::::
	cpe:2.3:a:siemens:simatic_wincc_runtime_advanced::::::::
	cpe:2.3:a:siemens:sinema_server::::::::
	cpe:2.3:a:siemens:simatic_wincc:7.4:-::::::
	cpe:2.3:a:siemens:simatic_net_pc:16:update1::::::
	cpe:2.3:a:siemens:simatic_net_pc:16:-::::::
	cpe:2.3:a:siemens:simatic_net_pc::::::::
	cpe:2.3:a:siemens:simatic_prosave::::::::
	cpe:2.3:a:siemens:simatic_pcs_neo::::::::
	cpe:2.3:a:siemens:simatic_automatic_tool::::::::
	cpe:2.3:a:siemens:simatic_step_7:5.6:sp1::::::
	cpe:2.3:a:siemens:simatic_step_7:5.6:sp2::::::
	cpe:2.3:a:siemens:simatic_step_7:5.6:sp2_hotfix1::::::
	cpe:2.3:a:siemens:simatic_step_7:5.6:-::::::
	cpe:2.3:a:siemens:simatic_step_7::::::::
	cpe:2.3:a:siemens:simatic_wincc_open_architecture:3.17:::::::*
	cpe:2.3:a:siemens:simatic_wincc_open_architecture:3.16:::::::*
	cpe:2.3:a:siemens:simatic_step_7::::::::
	cpe:2.3:a:siemens:sinumerik_operate::::::::
	cpe:2.3:a:siemens:sinumerik_one_virtual::::::::
	cpe:2.3:a:siemens:sinec_network_management_system::::::::
	cpe:2.3:a:siemens:sinamics_startdrive::::::::
	cpe:2.3:a:siemens:sinamics_starter_commissioning_tool::::::::
	cpe:2.3:a:siemens:simatic_wincc:7.5:sp1::::::
	cpe:2.3:a:siemens:simatic_wincc:7.5:sp1_update1::::::
	cpe:2.3:a:siemens:simatic_wincc:7.5:sp1_update2::::::
	cpe:2.3:a:siemens:simatic_wincc:7.5:-::::::
	cpe:2.3:a:siemens:simatic_wincc:7.4:sp1_update1::::::
	cpe:2.3:a:siemens:simatic_wincc:7.4:sp1_update2::::::
	cpe:2.3:a:siemens:simatic_wincc:7.4:sp1_update3::::::
	cpe:2.3:a:siemens:simatic_wincc:7.4:sp1_update4::::::
	cpe:2.3:a:siemens:simatic_wincc:7.4:sp1_update5::::::
	cpe:2.3:a:siemens:simatic_wincc:7.4:sp1_update6::::::
	cpe:2.3:a:siemens:simatic_wincc:7.4:sp1_update7::::::
	cpe:2.3:a:siemens:simatic_wincc:7.4:sp1_update8::::::
	cpe:2.3:a:siemens:simatic_wincc:7.4:sp1_update9::::::
	cpe:2.3:a:siemens:simatic_wincc:7.4:sp1_update10::::::
	cpe:2.3:a:siemens:simatic_wincc:7.4:sp1_update11::::::
	cpe:2.3:a:siemens:simatic_wincc:7.4:sp1_update12::::::
	cpe:2.3:a:siemens:simatic_wincc:7.4:sp1_update13::::::
	cpe:2.3:a:siemens:simatic_wincc::::::::
	cpe:2.3:a:siemens:simatic_wincc_runtime_professional::::::::

Configuration 2 (hide)

AND

cpe:2.3:o:siemens:simatic_s7-150_firmware:*:*:*:*:*:*:*:*

cpe:2.3:h:siemens:simatic_s7-150:-:*:*:*:*:*:*:*

Information

Published : 2020-06-10 10:15

Updated : 2022-12-13 09:15

NVD link : CVE-2020-7580

Mitre link : CVE-2020-7580

JSON object : View

CWE

CWE-428

Unquoted Search Path or Element

Products Affected

siemens

sinumerik_one_virtual
sinamics_starter_commissioning_tool
simatic_s7-150
sinec_network_management_system
simatic_pcs_neo
simatic_prosave
sinumerik_operate
simatic_net_pc
sinema_server
simatic_pcs_7
simatic_wincc_open_architecture
simatic_wincc_runtime_professional
simatic_s7-150_firmware
simatic_step_7
sinamics_startdrive
simatic_automatic_tool
simatic_wincc
simatic_wincc_runtime_advanced

{"cve": {"data_type": "CVE", "references": {"reference_data": [{"url": "https://cert-portal.siemens.com/productcert/pdf/ssa-312271.pdf", "name": "https://cert-portal.siemens.com/productcert/pdf/ssa-312271.pdf", "tags": ["Vendor Advisory"], "refsource": "MISC"}, {"url": "https://us-cert.cisa.gov/ics/advisories/icsa-20-161-04", "name": "https://us-cert.cisa.gov/ics/advisories/icsa-20-161-04", "tags": ["Third Party Advisory", "US Government Resource"], "refsource": "MISC"}]}, "data_format": "MITRE", "description": {"description_data": [{"lang": "en", "value": "A vulnerability has been identified in SIMATIC Automation Tool (All versions < V4 SP2), SIMATIC NET PC Software V14 (All versions < V14 SP1 Update 14), SIMATIC NET PC Software V15 (All versions), SIMATIC NET PC Software V16 (All versions < V16 Upd3), SIMATIC PCS neo (All versions < V3.0 SP1), SIMATIC ProSave (All versions < V17), SIMATIC S7-1500 Software Controller (All versions < V21.8), SIMATIC STEP 7 (TIA Portal) V13 (All versions < V13 SP2 Update 4), SIMATIC STEP 7 (TIA Portal) V14 (All versions < V14 SP1 Update 10), SIMATIC STEP 7 (TIA Portal) V15 (All versions < V15.1 Update 5), SIMATIC STEP 7 (TIA Portal) V16 (All versions < V16 Update 2), SIMATIC STEP 7 V5 (All versions < V5.6 SP2 HF3), SIMATIC WinCC OA V3.16 (All versions < V3.16 P018), SIMATIC WinCC OA V3.17 (All versions < V3.17 P003), SIMATIC WinCC Runtime Advanced (All versions < V16 Update 2), SIMATIC WinCC Runtime Professional V13 (All versions < V13 SP2 Update 4), SIMATIC WinCC Runtime Professional V14 (All versions < V14 SP1 Update 10), SIMATIC WinCC Runtime Professional V15 (All versions < V15.1 Update 5), SIMATIC WinCC Runtime Professional V16 (All versions < V16 Update 2), SIMATIC WinCC V7.4 (All versions < V7.4 SP1 Update 14), SIMATIC WinCC V7.5 (All versions < V7.5 SP1 Update 3), SINAMICS STARTER (All Versions < V5.4 HF2), SINAMICS Startdrive (All Versions < V16 Update 3), SINEC NMS (All versions < V1.0 SP2), SINEMA Server (All versions < V14 SP3), SINUMERIK ONE virtual (All Versions < V6.14), SINUMERIK Operate (All Versions < V6.14). A common component used by the affected applications regularly calls a helper binary with SYSTEM privileges while the call path is not quoted. This could allow a local attacker to execute arbitrary code with SYTEM privileges."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "en", "value": "CWE-428"}]}]}, "data_version": "4.0", "CVE_data_meta": {"ID": "CVE-2020-7580", "ASSIGNER": "productcert@siemens.com"}}, "impact": {"baseMetricV2": {"cvssV2": {"version": "2.0", "baseScore": 7.2, "accessVector": "LOCAL", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "authentication": "NONE", "integrityImpact": "COMPLETE", "accessComplexity": "LOW", "availabilityImpact": "COMPLETE", "confidentialityImpact": "COMPLETE"}, "severity": "HIGH", "acInsufInfo": false, "impactScore": 10.0, "obtainAllPrivilege": false, "exploitabilityScore": 3.9, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "baseMetricV3": {"cvssV3": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 0.8}}, "publishedDate": "2020-06-10T17:15Z", "configurations": {"nodes": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:a:siemens:simatic_pcs_7:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:siemens:simatic_wincc:7.4:sp1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:siemens:simatic_wincc_runtime_advanced:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:siemens:sinema_server:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:siemens:simatic_wincc:7.4:-:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:siemens:simatic_net_pc:16:update1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:siemens:simatic_net_pc:16:-:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:siemens:simatic_net_pc:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "16"}, {"cpe23Uri": "cpe:2.3:a:siemens:simatic_prosave:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:siemens:simatic_pcs_neo:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:siemens:simatic_automatic_tool:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:siemens:simatic_step_7:5.6:sp1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:siemens:simatic_step_7:5.6:sp2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:siemens:simatic_step_7:5.6:sp2_hotfix1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:siemens:simatic_step_7:5.6:-:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:siemens:simatic_step_7:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "5.6"}, {"cpe23Uri": "cpe:2.3:a:siemens:simatic_wincc_open_architecture:3.17:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:siemens:simatic_wincc_open_architecture:3.16:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:siemens:simatic_step_7:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "16", "versionStartIncluding": "13"}, {"cpe23Uri": "cpe:2.3:a:siemens:sinumerik_operate:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:siemens:sinumerik_one_virtual:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:siemens:sinec_network_management_system:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:siemens:sinamics_startdrive:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:siemens:sinamics_starter_commissioning_tool:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:siemens:simatic_wincc:7.5:sp1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:siemens:simatic_wincc:7.5:sp1_update1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:siemens:simatic_wincc:7.5:sp1_update2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:siemens:simatic_wincc:7.5:-:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:siemens:simatic_wincc:7.4:sp1_update1:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:siemens:simatic_wincc:7.4:sp1_update2:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:siemens:simatic_wincc:7.4:sp1_update3:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:siemens:simatic_wincc:7.4:sp1_update4:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:siemens:simatic_wincc:7.4:sp1_update5:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:siemens:simatic_wincc:7.4:sp1_update6:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:siemens:simatic_wincc:7.4:sp1_update7:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:siemens:simatic_wincc:7.4:sp1_update8:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:siemens:simatic_wincc:7.4:sp1_update9:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:siemens:simatic_wincc:7.4:sp1_update10:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:siemens:simatic_wincc:7.4:sp1_update11:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:siemens:simatic_wincc:7.4:sp1_update12:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:siemens:simatic_wincc:7.4:sp1_update13:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}, {"cpe23Uri": "cpe:2.3:a:siemens:simatic_wincc:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndExcluding": "7.4"}, {"cpe23Uri": "cpe:2.3:a:siemens:simatic_wincc_runtime_professional:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true, "versionEndIncluding": "16", "versionStartIncluding": "13"}]}, {"children": [{"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:o:siemens:simatic_s7-150_firmware:*:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": true}]}, {"children": [], "operator": "OR", "cpe_match": [{"cpe23Uri": "cpe:2.3:h:siemens:simatic_s7-150:-:*:*:*:*:*:*:*", "cpe_name": [], "vulnerable": false}]}], "operator": "AND", "cpe_match": []}], "CVE_data_version": "4.0"}, "lastModifiedDate": "2022-12-13T17:15Z"}

6.7 /10