PatchSiren cyber security CVE debrief
CVE-2023-32737 Siemens CVE debrief
CVE-2023-32737 is a deserialization vulnerability in Siemens SIMATIC STEP 7 Safety V18 where the application fails to properly restrict the .NET BinaryFormatter when processing user-controllable input. This weakness enables type confusion attacks that can lead to arbitrary code execution within the affected engineering environment. The vulnerability stems from the same underlying issue documented in Microsoft's CA2300 security guidance regarding BinaryFormatter deserialization risks. The attack requires local access with high privileges and user interaction, reflecting a constrained but serious attack surface in industrial control system environments where engineering workstations may process untrusted project files or removable media.
- Vendor
- Siemens
- Product
- SIMATIC STEP 7 Safety V18
- CVSS
- MEDIUM 6.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-07-09
- Original CVE updated
- 2024-07-09
- Advisory published
- 2024-07-09
- Advisory updated
- 2024-07-09
Who should care
Industrial control system security teams, OT security architects, Siemens TIA Portal administrators, PLC programmers and engineers, manufacturing security operations centers, critical infrastructure asset owners using SIMATIC STEP 7 Safety for safety instrumented system programming
Technical summary
The vulnerability exists in the deserialization path of SIMATIC STEP 7 Safety V18 where user-controllable input is passed to the .NET BinaryFormatter without adequate restrictions. BinaryFormatter is a known-dangerous serialization mechanism in .NET that performs full type deserialization, enabling attackers to craft malicious payloads that instantiate arbitrary types during deserialization. The type confusion arises when the deserializer instantiates attacker-controlled types that chain into dangerous operations. Successful exploitation yields arbitrary code execution within the security context of the STEP 7 Safety application. The CVSS 3.1 vector (AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C) indicates local attack vector, high attack complexity, high privileges required, and user interaction required—suggesting exploitation likely requires social engineering or insider access to introduce malicious project files or MMC card content.
Defensive priority
high
Recommended defensive actions
- Apply vendor fix: Update SIMATIC STEP 7 Safety V18 to Update 2 or later version
- Implement operational control: Avoid uploading PLC software from untrusted devices or MMC cards
- Review engineering workstation security: Restrict physical and logical access to STEP 7 installations
- Audit project file handling: Validate source integrity of all imported PLC projects before deserialization
- Monitor for anomalous process execution: Alert on unexpected child processes spawned by TIA Portal or STEP 7 Safety components
- Reference Microsoft CA2300 guidance for additional .NET deserialization hardening recommendations
Evidence notes
Vulnerability disclosed via CISA ICS advisory ICSA-24-193-12 with Siemens security advisory SSA-313039. CVSS 3.1 vector confirms local attack vector with high complexity and privilege requirements. Microsoft CA2300 reference establishes this as a known .NET deserialization pattern.
Official resources
-
CVE-2023-32737 CVE record
CVE.org
-
CVE-2023-32737 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-07-09