Vulnerability Description
A vulnerability has been identified in SIMATIC Automation Tool (All versions < V4 SP2), SIMATIC NET PC Software V14 (All versions < V14 SP1 Update 14), SIMATIC NET PC Software V15 (All versions), SIMATIC NET PC Software V16 (All versions < V16 Upd3), SIMATIC PCS neo (All versions < V3.0 SP1), SIMATIC ProSave (All versions < V17), SIMATIC S7-1500 Software Controller (All versions < V21.8), SIMATIC STEP 7 (TIA Portal) V13 (All versions < V13 SP2 Update 4), SIMATIC STEP 7 (TIA Portal) V14 (All versions < V14 SP1 Update 10), SIMATIC STEP 7 (TIA Portal) V15 (All versions < V15.1 Update 5), SIMATIC STEP 7 (TIA Portal) V16 (All versions < V16 Update 2), SIMATIC STEP 7 V5 (All versions < V5.6 SP2 HF3), SIMATIC WinCC OA V3.16 (All versions < V3.16 P018), SIMATIC WinCC OA V3.17 (All versions < V3.17 P003), SIMATIC WinCC Runtime Advanced (All versions < V16 Update 2), SIMATIC WinCC Runtime Professional V13 (All versions < V13 SP2 Update 4), SIMATIC WinCC Runtime Professional V14 (All versions < V14 SP1 Update 10), SIMATIC WinCC Runtime Professional V15 (All versions < V15.1 Update 5), SIMATIC WinCC Runtime Professional V16 (All versions < V16 Update 2), SIMATIC WinCC V7.4 (All versions < V7.4 SP1 Update 14), SIMATIC WinCC V7.5 (All versions < V7.5 SP1 Update 3), SINAMICS STARTER (All Versions < V5.4 HF2), SINAMICS Startdrive (All Versions < V16 Update 3), SINEC NMS (All versions < V1.0 SP2), SINEMA Server (All versions < V14 SP3), SINUMERIK ONE virtual (All Versions < V6.14), SINUMERIK Operate (All Versions < V6.14). A common component used by the affected applications regularly calls a helper binary with SYSTEM privileges while the call path is not quoted. This could allow a local attacker to execute arbitrary code with SYTEM privileges.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Siemens | Simatic Automatic Tool | All versions |
| Siemens | Simatic Net Pc | < 16 |
| Siemens | Simatic Pcs 7 | All versions |
| Siemens | Simatic Pcs Neo | All versions |
| Siemens | Simatic Prosave | All versions |
| Siemens | Simatic S7-1500 Software Controller | < 21.8 |
| Siemens | Simatic Step 7 | < 5.6 |
| Siemens | Simatic Wincc | < 7.4 |
| Siemens | Simatic Wincc Open Architecture | 3.16 |
| Siemens | Simatic Wincc Runtime Advanced | All versions |
| Siemens | Simatic Wincc Runtime Professional | >= 13, <= 16 |
| Siemens | Sinamics Startdrive | All versions |
| Siemens | Sinamics Starter Commissioning Tool | All versions |
| Siemens | Sinec Network Management System | All versions |
| Siemens | Sinema Server | All versions |
| Siemens | Sinumerik One Virtual | All versions |
| Siemens | Sinumerik Operate | All versions |
Related Weaknesses (CWE)
References
- https://cert-portal.siemens.com/productcert/pdf/ssa-312271.pdfVendor Advisory
- https://us-cert.cisa.gov/ics/advisories/icsa-20-161-04Third Party AdvisoryUS Government Resource
- https://cert-portal.siemens.com/productcert/pdf/ssa-312271.pdfVendor Advisory
- https://us-cert.cisa.gov/ics/advisories/icsa-20-161-04Third Party AdvisoryUS Government Resource
FAQ
What is CVE-2020-7580?
CVE-2020-7580 is a vulnerability with a CVSS score of 6.7 (MEDIUM). A vulnerability has been identified in SIMATIC Automation Tool (All versions < V4 SP2), SIMATIC NET PC Software V14 (All versions < V14 SP1 Update 14), SIMATIC NET PC Software V15 (All versions), SIMA...
How severe is CVE-2020-7580?
CVE-2020-7580 has been rated MEDIUM with a CVSS base score of 6.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-7580?
Check the references section above for vendor advisories and patch information. Affected products include: Siemens Simatic Automatic Tool, Siemens Simatic Net Pc, Siemens Simatic Pcs 7, Siemens Simatic Pcs Neo, Siemens Simatic Prosave.