SIEMENS-SSA-111512 · Published 2022-06-21 · View on Siemens ProductCERT ↗

SSA-111512 V1.0: Client-side Authentication in SIMATIC WinCC OA

CVSS N/A MEDIUM

Risk Summary

<p>SIMATIC WinCC OA implements client-side only authentication, when neither server-side authentication (SSA) nor Kerberos authentication is enabled. In this configuration, attackers could impersonate other users or exploit the client-server protocol without being authenticated.</p> <p>Siemens recommends to enable server-side authentication (SSA) or Kerberos authentication for all WinCC OA projects, as documented in the WinCC OA Security Guideline. In SIMATIC WinCC OA server-side authentication is available since V3.15 (and offered as the default configuration since V3.17). Additional information can be found at: <a href="https://cert-portal.siemens.com/productcert/news.html?id=21" class="uri">https://cert-portal.siemens.com/productcert/news.html?id=21</a>.</p>

Remediations

Refer to Siemens ProductCERT advisory for patch and remediation guidance.

Affected Vendors

Siemens

Affected Products (1)

Siemens · SSA-111512 V1.0: Client-side Authentication in SIMATIC WinCC OA See advisory

Get alerted to advisories like this

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.

Start free trial Learn more