Siemens issue patchs for serious denial-of-service (DoS) flaws in several of its products

CVE Number – CVE-2019-19282

Siemens has released patches that address serious denial-of-service (DoS) flaws in several of its products.

According to the advisories, a high-severity DoS flaw affects Siemens SIMATIC PCS 7, SIMATIC WinCC and SIMATIC NET PC products.

SIMATIC WinCC is a supervisory control and data acquisition (SCADA) system.

SIMATIC WinCC (TIA Portal) is an engineering software to configure and program SIMATIC Panels,SIMATIC Industrial PCs, and Standard PCs running WinCC Runtime Advanced or SCADA System WinCCRuntime Professional visualization software.

SIMATIC NET PC software is a software product that is sold separately and implements the communica-tions product from SIMATIC NET.

SIMATIC PCS 7 is a distributed control system (DCS) integrating SIMATIC WinCC, SIMATIC Batch,SIMATIC Route Control, OpenPCS7 and other components.

The flaw could be exploited if encrypted communication is enabled by sending specially crafted messages to the vulnerable system over the network. An attacker could exploit the issue without system privileges or user interaction.

Siemens has released updates for several affected products, and recommends that customers update tothe latest version. Siemens is preparing further updates and recommends specific countermeasures untilpatches are available.

Further information – https://cert-portal.siemens.com/productcert/pdf/ssa-270778.pdf