Vulnerabilities > CVE-2020-7581 - Unquoted Search Path or Element vulnerability in Siemens products

CVSS 6.7 - MEDIUM

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

HIGH

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

local

low complexity

siemens

CWE-428

NVD

Published: 2020-07-14

Updated: 2023-01-30

Summary

A vulnerability has been identified in Opcenter Execution Discrete (All versions < V3.2), Opcenter Execution Foundation (All versions < V3.2), Opcenter Execution Process (All versions < V3.2), Opcenter Intelligence (All versions < V3.3), Opcenter Quality (All versions < V11.3), Opcenter RD&L (V8.0), SIMATIC Notifier Server for Windows (All versions), SIMATIC PCS neo (All versions < V3.0 SP1), SIMATIC STEP 7 (TIA Portal) V15 (All versions < V15.1 Update 5), SIMATIC STEP 7 (TIA Portal) V16 (All versions < V16 Update 2), SIMOCODE ES V15.1 (All versions < V15.1 Update 4), SIMOCODE ES V16 (All versions < V16 Update 1), Soft Starter ES V15.1 (All versions < V15.1 Update 3), Soft Starter ES V16 (All versions < V16 Update 1). A component within the affected application calls a helper binary with SYSTEM privileges during startup while the call path is not quoted. This could allow a local attacker with administrative privileges to execute code with SYSTEM level privileges.

Vulnerable Configurations

Part	Description	Count
Application	Siemens Siemens Simatic PCS NEO * Siemens Opcenter Execution Discrete - Siemens Opcenter Execution Foundation - Siemens Opcenter Execution Process - Siemens Opcenter Intelligence * Siemens Opcenter Quality - Siemens Opcenter Rd&L 8.0 Siemens Simatic Step 7 16 Siemens Simatic Step 7 5.5 Siemens Simatic Step 7 5.6 Siemens Simatic Step 7 12.0 Siemens Simatic Step 7 13 Siemens Simatic Step 7 13.0 Siemens Simatic Step 7 13.001 Siemens Simatic Step 7 13.002 Siemens Simatic Step 7 13.003 Siemens Simatic Step 7 13.004 Siemens Simatic Step 7 13.005 Siemens Simatic Step 7 13.006 Siemens Simatic Step 7 13.007 Siemens Simatic Step 7 13.008 Siemens Simatic Step 7 13.009 Siemens Simatic Step 7 13.010 Siemens Simatic Step 7 14 Siemens Simatic Step 7 15 Siemens Simatic Step 7 15.1 Siemens Soft Starter ES * Siemens Simocode ES * Siemens Simatic Notifier Server *	38

Common Weakness Enumeration (CWE)

CWE-428 - Unquoted Search Path or Element

Common Attack Pattern Enumeration and Classification (CAPEC)

Leveraging/Manipulating Configuration File Search Paths
This attack loads a malicious resource into a program's standard path used to bootstrap and/or provide contextual information for a program like a path variable or classpath. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker. A standard UNIX path looks similar to this If the attacker modifies the path variable to point to a locale that includes malicious resources then the user unwittingly can execute commands on the attackers' behalf: This is a form of usurping control of the program and the attack can be done on the classpath, database resources, or any other resources built from compound parts. At runtime detection and blocking of this attack is nearly impossible, because the configuration allows execution.

References

https://cert-portal.siemens.com/productcert/pdf/ssa-841348.pdf