PatchSiren cyber security CVE debrief
CVE-2023-32735 Siemens CVE debrief
CVE-2023-32735 is a medium-severity vulnerability (CVSS 6.5) affecting 27 Siemens industrial automation products across the TIA Portal ecosystem, published on 2024-07-09. The vulnerability stems from improper restrictions on the .NET BinaryFormatter during deserialization of hardware configuration profiles, enabling type confusion and arbitrary code execution within affected applications. This represents a known insecure deserialization pattern documented in Microsoft's CA2300 security guidance. The attack vector requires local access with high privileges and user interaction, though successful exploitation yields complete confidentiality, integrity, and availability compromise. Siemens has released patches for most affected products, with version-specific updates required: V16 Update 7 or later for STEP 7 Safety V16, STEP 7 V16, WinCC Unified V16, SIMOCODE ES V16, and Soft Starter ES V16; V16.7 or later for WinCC V16; V17 Update 7 or later for STEP 7 Safety V17, STEP 7 V17, WinCC Unified V17, SIMOCODE ES V17, SIRIUS Safety ES V17, and SIRIUS Soft Starter ES V17; V17.7 or later for WinCC V17; and V18 Update 2 or later for STEP 7 Safety V18, STEP 7 V18, WinCC Unified V18, WinCC V18, SIMOCODE ES V18, SIRIUS Safety ES V18, SIRIUS Soft Starter ES V18, and TIA Portal Cloud V3.0. Notably, no fixes are planned for SIMOTION SCOUT TIA versions (V5.4 SP1, V5.4 SP3, V5.5 SP1) and SINAMICS Startdrive versions (V16-V18), leaving these products permanently exposed. CISA and Siemens recommend avoiding untrusted files from unknown sources as a mitigation measure where patching is unavailable.
- Vendor
- Siemens
- Product
- SIMATIC STEP 7 Safety V16
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-07-09
- Original CVE updated
- 2024-07-09
- Advisory published
- 2024-07-09
- Advisory updated
- 2024-07-09
Who should care
Industrial control system engineers, OT security architects, manufacturing security teams, critical infrastructure operators using Siemens automation platforms, and asset owners with TIA Portal deployments should prioritize this vulnerability. Organizations running SIMOTION SCOUT TIA or SINAMICS Startdrive without planned fixes face permanent exposure requiring compensating controls. Security teams should coordinate with plant engineering to schedule maintenance windows for patching given the 27 affected product variants and version-specific update requirements.
Technical summary
The vulnerability exists in how affected Siemens applications handle hardware configuration profile deserialization using .NET's BinaryFormatter class. BinaryFormatter is a known-dangerous serialization mechanism that performs full type reconstruction without adequate security controls, enabling attackers to craft malicious serialized objects that instantiate arbitrary types during deserialization. The type confusion arises when the deserializer instantiates attacker-controlled types rather than expected configuration objects, potentially leading to gadget chain execution and arbitrary code within the application context. This vulnerability class is well-documented in .NET security literature and represents a fundamental design weakness in BinaryFormatter that Microsoft has deprecated. The attack requires an attacker to supply a malicious hardware configuration file and convince a privileged user to open it in the affected engineering software. Successful exploitation occurs within the application's process space, granting the attacker the same privileges as the running TIA Portal instance, which typically runs with elevated permissions on engineering workstations.
Defensive priority
high
Recommended defensive actions
- Apply vendor-supplied updates immediately for all supported product versions per Siemens SSA-779936 guidance
- For SIMOTION SCOUT TIA and SINAMICS Startdrive products where no fix is planned, implement strict file source validation and avoid opening any hardware configuration profiles from untrusted origins
- Restrict user privileges on engineering workstations to reduce attack surface where local access is required
- Monitor for anomalous process execution within TIA Portal environments indicating potential deserialization exploitation
- Review and harden .NET deserialization configurations in accordance with Microsoft CA2300 security guidelines
- Segment engineering networks from operational technology networks to contain potential compromise
- Establish asset inventory to identify unpatched or end-of-life Siemens products requiring compensating controls
Evidence notes
Vulnerability description and affected product list derived from CISA CSAF advisory ICSA-24-193-13. CVSS vector and remediation details sourced from Siemens SSA-779936. Patch availability status confirmed through CSAF remediation categories. No KEV listing or known ransomware campaign use identified.
Official resources
-
CVE-2023-32735 CVE record
CVE.org
-
CVE-2023-32735 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-07-09