A vulnerability has been identified in SIMATIC NET PC Software V14 (All versions), SIMATIC NET PC Software V15 (All versions), SIMATIC PCS 7 V8.2 (All versions), SIMATIC PCS 7 V9.0 (All versions), SIMATIC PCS 7 V9.1 (All versions), SIMATIC WinCC (All versions < V8.0), SINAUT Software ST7sc (All versions). Before SIMATIC WinCC V8, legacy OPC services (OPC DA (Data Access), OPC HDA (Historical Data Access), and OPC AE (Alarms & Events)) were used per default. These services were designed on top of the Windows ActiveX and DCOM mechanisms and do not implement state-of-the-art security mechanisms for authentication and encryption of contents.
Weakness
The code uses deprecated or obsolete functions, which suggests that the code has not been actively reviewed or maintained.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Simatic_net_pc_software | Siemens | 14.0 (including) | 14.0 (including) |
| Simatic_net_pc_software | Siemens | 15.0 (including) | 15.0 (including) |
| Simatic_pcs_7 | Siemens | 8.2 (including) | 8.2 (including) |
| Simatic_pcs_7 | Siemens | 9.0 (including) | 9.0 (including) |
| Simatic_pcs_7 | Siemens | 9.1 (including) | 9.1 (including) |
| Simatic_wincc | Siemens | * | 8.0 (excluding) |
| Sinaut_st7sc | Siemens | * | * |
Extended Description
As programming languages evolve, functions occasionally become obsolete due to:
Functions that are removed are usually replaced by newer counterparts that perform the same task in some different and hopefully improved way.