PatchSiren cyber security CVE debrief
CVE-2022-45147 Siemens CVE debrief
CVE-2022-45147 is a high-severity deserialization vulnerability in Siemens SIMATIC engineering software products, published by CISA on July 9, 2024. The vulnerability stems from improper restrictions on the .NET BinaryFormatter during deserialization of user-controllable input, enabling attackers to achieve type confusion and execute arbitrary code within affected applications. This represents a well-known class of vulnerabilities in .NET applications where BinaryFormatter deserialization of untrusted data can lead to remote code execution. The vulnerability affects four Siemens products: SIMATIC PCS neo V4.0, SIMATIC STEP 7 V16, SIMATIC STEP 7 V17, and SIMATIC STEP 7 V18. Siemens has provided a vendor fix only for STEP 7 V18 (Update 2 or later), while explicitly stating no fix is planned for the other three affected products. For unpatched versions, the primary mitigation is to avoid opening untrusted files from unknown sources. The CVSS 3.1 score of 7.8 reflects high impacts to confidentiality, integrity, and availability, with a local attack vector requiring user interaction. Organizations running affected Siemens industrial control system engineering software should prioritize upgrading to STEP 7 V18 Update 2 where possible, and implement strict file handling policies for unpatched systems.
- Vendor
- Siemens
- Product
- SIMATIC PCS neo V4.0
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-07-09
- Original CVE updated
- 2024-07-09
- Advisory published
- 2024-07-09
- Advisory updated
- 2024-07-09
Who should care
Organizations operating Siemens SIMATIC PCS neo or STEP 7 engineering workstations in industrial environments, particularly those in critical infrastructure sectors. Security teams responsible for OT/ICS asset management and patch deployment should prioritize assessment of affected systems.
Technical summary
The vulnerability exists in the .NET BinaryFormatter deserialization implementation within Siemens SIMATIC engineering software. When user-controllable input is deserialized without proper type restrictions, attackers can manipulate the object graph to cause type confusion, leading to arbitrary code execution in the context of the affected application. This vulnerability class is documented in Microsoft security guidance CA2300. The attack requires local access with user interaction (opening a malicious file), but successful exploitation yields complete compromise of confidentiality, integrity, and availability.
Defensive priority
high
Recommended defensive actions
- Upgrade SIMATIC STEP 7 V18 to Update 2 or later version to address this vulnerability
- For SIMATIC PCS neo V4.0, STEP 7 V16, and STEP 7 V17, implement strict policies to prevent opening untrusted files from unknown sources
- Apply defense-in-depth controls including network segmentation for engineering workstations running affected Siemens software
- Monitor for suspicious file handling activity on systems running unpatched versions
- Review and implement CISA ICS recommended practices for industrial control system security
Evidence notes
CVE published and source advisory published 2024-07-09 per CISA CSAF advisory ICSA-24-193-17. Vendor fix available only for SIMATIC STEP 7 V18; no fix planned for SIMATIC PCS neo V4.0, STEP 7 V16, or STEP 7 V17.
Official resources
-
CVE-2022-45147 CVE record
CVE.org
-
CVE-2022-45147 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-07-09