search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Siemens Totally Integrated Automation Portal vulnerable to privilege escalation due to Node.js paths

Vulnerability Note VU#466044

Original Release Date: 2021-02-09 | Last Revised: 2021-02-09

Overview

Siemens Totally Integrated Administrator (TIA) fails to properly set the module search path to be used by a privileged Node.js component, which can allow an unprivileged Windows user to run arbitrary code with SYSTEM privileges. The PCS neo administration console is reported to be affected as well.

Description

Siemens TIA runs a privileged Node.js component. The Node.js server fails to properly set the module search path. Because of this, Node.js will look for modules in the C:\node_modules\ directory when the server is started. Because unprivileged Windows users can create subdirectories off of the system root, a user can create this directory and place a specially-crafted .js file in it to achieve arbitrary code execution with SYSTEM privileges when the server starts.

Impact

By placing a specially-crafted JS file in the C:\node_modules\ directory, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable Siemens TIA or PCS neo administration console software installed.

Solution

Apply an update

This issue is addressed in TIA Administrator V1.0 SP2 Upd2. PCS neo administration console users should apply the mitigations described in Industrial Security in SIMATIC PCS neo.

For more details see Siemens Security Advisory SSA-428051.

Acknowledgements

This vulnerability was reported by Will Dormann of the CERT/CC.

This document was written by Will Dormann.

Vendor Information

466044
 

Siemens Affected

Notified:  2020-10-12 Updated: 2021-02-09

Statement Date:   February 09, 2021

CVE-2020-25238 Affected

Vendor Statement

For details refer to Siemens Security Advisory SSA-428051

References


Other Information

CVE IDs: CVE-2020-25238
Date Public: 2021-02-09
Date First Published: 2021-02-09
Date Last Updated: 2021-02-09 17:45 UTC
Document Revision: 4

Sponsored by CISA.