VDE-2023-047 | CERT@VDE

2023-10-17 08:00 (CEST) VDE-2023-047

Festo: Vulnerable Siemens TIA-Portal in multiple Festo Didactic products

Share: Email | Twitter

ID

VDE-2023-047

Published

2023-10-17 08:00 (CEST)

Last update

2023-10-12 09:31 (CEST)

Vendor(s)

Festo Didactic SE

Product(s)

Article No°	Product Name	Affected Version(s)
	MES PC: with TIA-Portal V15 < V17 Update 6 or V18 < V18 Update 1	= based on DELL XE3
8107242	TP260: with TIA-Portal V15 < V17 Update 6 or V18 < V18 Update 1	< June 2023

Summary

A vulnerability was reported in Siemens TIA Portal. TIA Portal is part of the installation packages of several Festo Didactic products.

TP 260 before June 2023 and MES PC based on DELL XE3 contain a vulnerable versions of TIA Portal V15 to V18.

Affected products of TIA Portal contain a path traversal vulnerability that could allow the creation or overwrite of arbitrary files in the engineering system.

CVE ID

CVE-2023-26293

Last Update:

4. Oktober 2023 14:16

Severity

7.8 (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Weakness

Improper Input Validation (CWE-20)

Summary

A vulnerability has been identified in Totally Integrated Automation Portal (TIA Portal) V15 (All versions), Totally Integrated Automation Portal (TIA Portal) V16 (All versions), Totally Integrated Automation Portal (TIA Portal) V17 (All versions < V17 Update 6), Totally Integrated Automation Portal (TIA Portal) V18 (All versions < V18 Update 1). Affected products contain a path traversal vulnerability that could allow the creation or overwrite of arbitrary files in the engineering system. If the user is tricked to open a malicious PC system configuration file, an attacker could exploit this vulnerability to achieve arbitrary code execution.

Details

nvd.nist.gov

Solution

General recommendations

As part of a security strategy, Festo recommends the following general defense measures to reduce the risk of exploits:

Use controllers and devices only in a protected environment to minimize network exposure and ensure that they are not accessible from outside
Use firewalls to protect and separate the control system network from other networks
Use VPN (Virtual Private Networks) tunnels if remote access is required
Activate and apply user management and password features
Use encrypted communication links
Limit the access to both development and control system by physical means, operating system features, etc.
Protect both development and control system by using up to date virus detecting solutions

Festo strongly recommends to minimize and protect network access to connected devices with state of the art techniques and processes.
For a secure operation follow the recommendations in the product manuals.

Remediation

Update TIA-Portal. Please refer to Siemens SSA-116924 for more details.

Reported by

Festo SE & Co. KG thanks CERT@VDE for coordination and support with this publication