CVE-2021-40360
📋 TL;DR
This vulnerability allows authenticated attackers on affected Siemens SIMATIC PCS 7 and WinCC systems to obtain password hashes via a public API. Attackers can then brute-force these hashes to gain unauthorized access to the server. This affects multiple versions of SIMATIC PCS 7 and WinCC industrial control systems.
💻 Affected Systems
- SIMATIC PCS 7
- SIMATIC WinCC
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of industrial control systems leading to operational disruption, safety hazards, or data exfiltration from critical infrastructure environments.
Likely Case
Unauthorized access to industrial control servers, potentially allowing attackers to modify process parameters, disrupt operations, or steal sensitive industrial data.
If Mitigated
Limited impact with proper network segmentation, strong authentication controls, and monitoring preventing hash extraction or successful brute-force attacks.
🎯 Exploit Status
Exploitation requires authenticated access but involves straightforward API calls to retrieve password hashes followed by offline brute-forcing.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: PCS 7 V9.1 SP1; WinCC V15 SP1 Update 7, V16 Update 5, V17 Update 2, V7.4 SP1 Update 19, V7.5 SP2 Update 6
Vendor Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-914168.pdf
Restart Required: Yes
Instructions:
1. Download appropriate update from Siemens Industrial Security website. 2. Apply update following Siemens installation procedures. 3. Restart affected systems. 4. Verify update installation.
🔧 Temporary Workarounds
Restrict API Access
windowsLimit access to the vulnerable public API through network controls and user permissions.
Enforce Strong Password Policies
allImplement complex passwords to make hash brute-forcing more difficult.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate affected systems from untrusted networks.
- Enable detailed logging and monitoring for API access attempts and unusual authentication patterns.
🔍 How to Verify
Check if Vulnerable:
Check installed version against affected versions list. Review system logs for API calls related to user account information retrieval.Check Version:
Check version through Siemens SIMATIC Manager or WinCC Explorer interface.Verify Fix Applied:
Verify installed version matches or exceeds patched versions listed in vendor advisory.📡 Detection & Monitoring
Log Indicators:
- Unusual API calls for user account information
- Multiple failed authentication attempts followed by successful login
- Authentication from unexpected IP addresses
Network Indicators:
- API requests to user management endpoints from unauthorized sources
- Unusual outbound traffic patterns after authentication
SIEM Query:
source="wincc_logs" AND (event_type="api_call" AND api_endpoint="*user*" AND result="success")