CVE-2020-7585
📋 TL;DR
This is a DLL hijacking vulnerability in multiple Siemens industrial control system products that allows local attackers to execute arbitrary code with elevated privileges. It affects SIMATIC PCS 7, SIMATIC PDM, SIMATIC STEP 7, and SINAMICS STARTER software. Successful exploitation requires local access but no user interaction.
💻 Affected Systems
- SIMATIC PCS 7
- SIMATIC PDM
- SIMATIC STEP 7
- SINAMICS STARTER
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing attacker to execute arbitrary code with elevated privileges, potentially disrupting industrial processes, stealing sensitive data, or establishing persistence in control systems.
Likely Case
Local privilege escalation leading to unauthorized access to sensitive industrial control system configurations and potential disruption of industrial operations.
If Mitigated
Limited impact due to proper access controls, network segmentation, and monitoring preventing local attacker access to vulnerable systems.
🎯 Exploit Status
Exploitation requires local access and user privileges but no user interaction. DLL hijacking vulnerabilities are generally straightforward to exploit once the vulnerable DLL loading behavior is identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: SIMATIC PCS 7 V9.0 SP3, SIMATIC PDM V9.2, SIMATIC STEP 7 V5.6 SP2 HF3, SINAMICS STARTER V5.4 HF2
Vendor Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-689942.pdf
Restart Required: Yes
Instructions:
1. Download the appropriate update from Siemens support portal. 2. Apply the update following Siemens installation instructions. 3. Restart the affected systems. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict local access
allLimit local access to affected systems to only authorized personnel through physical security and user account controls.
Implement application whitelisting
windowsUse application control solutions to prevent unauthorized DLL loading and execution.
🧯 If You Can't Patch
- Implement strict access controls to limit local access to affected systems
- Monitor for suspicious DLL loading behavior and privilege escalation attempts
🔍 How to Verify
Check if Vulnerable:
Check installed software versions against affected versions list. For Siemens software, check Help > About in the application interface.Check Version:
Check via Siemens software interface: Help > About or consult Siemens documentation for version checking commands.Verify Fix Applied:
Verify the installed version matches or exceeds the patched version: SIMATIC PCS 7 V9.0 SP3 or later, SIMATIC PDM V9.2 or later, SIMATIC STEP 7 V5.6 SP2 HF3 or later, SINAMICS STARTER V5.4 HF2 or later.📡 Detection & Monitoring
Log Indicators:
- Unexpected DLL loading from non-standard locations
- Privilege escalation attempts
- Unauthorized process execution
Network Indicators:
- Unusual local system activity patterns
SIEM Query:
Process creation events where parent process is Siemens software loading DLLs from suspicious locations OR privilege escalation from user to SYSTEM/admin🔗 References
- https://cert-portal.siemens.com/productcert/pdf/ssa-689942.pdf
- https://us-cert.cisa.gov/ics/advisories/icsa-20-161-05
- https://www.us-cert.gov/ics/advisories/icsa-20-161-05
- https://cert-portal.siemens.com/productcert/pdf/ssa-689942.pdf
- https://us-cert.cisa.gov/ics/advisories/icsa-20-161-05
- https://www.us-cert.gov/ics/advisories/icsa-20-161-05
