CVE-2021-31894
📋 TL;DR
This vulnerability in Siemens industrial control software allows attackers to modify configuration metafiles due to improper write permissions. By manipulating these files, attackers could alter device parameters or behavior when the software configures devices. Affected systems include SIMATIC PCS 7, SIMATIC PDM, SIMATIC STEP 7, and SINAMICS STARTER.
💻 Affected Systems
- SIMATIC PCS 7
- SIMATIC PDM
- SIMATIC STEP 7
- SINAMICS STARTER
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could manipulate critical industrial devices to cause physical damage, production shutdowns, or safety incidents by altering configuration parameters.
Likely Case
Attackers with access to the system could modify device configurations to disrupt operations, cause malfunctions, or create persistent backdoors.
If Mitigated
With proper access controls and network segmentation, impact is limited to configuration changes requiring subsequent software use to affect devices.
🎯 Exploit Status
Exploitation requires write access to the directory containing metafiles, which typically means some level of system access is needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: PCS 7 V9.1 SP2, PDM V9.2 SP2, STEP 7 V5.7, SINAMICS STARTER V5.4 SP2 HF1
Vendor Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-661034.pdf
Restart Required: Yes
Instructions:
1. Download appropriate updates from Siemens Industrial Security. 2. Apply patches according to Siemens documentation. 3. Restart affected systems. 4. Verify patch installation.
🔧 Temporary Workarounds
Restrict directory permissions
windowsManually modify permissions on the metafile directory to remove write access for unauthorized users
icacls "C:\ProgramData\Siemens\Automation\...\metafiles" /deny Users:(W)
Network segmentation
allIsolate affected systems from general network access using firewalls and VLANs
🧯 If You Can't Patch
- Implement strict access controls to limit who can access the affected systems
- Monitor file changes in the metafile directories and alert on unauthorized modifications
🔍 How to Verify
Check if Vulnerable:
Check installed software versions against affected versions list and verify write permissions on metafile directoriesCheck Version:
Check through Siemens software interface or Windows Programs and FeaturesVerify Fix Applied:
Verify installed version is patched version and test that unauthorized users cannot write to metafile directories📡 Detection & Monitoring
Log Indicators:
- Unauthorized file modifications in Siemens software directories
- Failed permission changes on metafile directories
- Unexpected configuration changes to industrial devices
Network Indicators:
- Unusual network traffic to/from engineering workstations
- Unexpected connections to industrial controllers
SIEM Query:
EventID=4663 AND ObjectName LIKE '%Siemens%metafiles%' AND Accesses LIKE '%Write%'