CVE-2023-32735

Vulnerability

Overview

CVE-2023-32735 is a deserialization vulnerability in the .NET BinaryFormatter used by numerous Siemens TIA Portal engineering platforms. The affected applications do not properly restrict the BinaryFormatter when deserializing user-controllable input, specifically hardware configuration profiles. This allows an attacker to cause a type confusion, which can lead to arbitrary code execution within the context of the affected application [1]. The root cause is the same known issue associated with .NET BinaryFormatter, which has been documented by Microsoft as code quality rule CA2300 [1].

Attack

Vector and Prerequisites

The vulnerability can be exploited by an attacker who provides a malicious hardware configuration profile to an affected system. No special network access or authentication is required beyond the ability to deliver the crafted profile to the user or the system (e.g., via email, file share, or web download). If the user opens the file in the vulnerable application, the deserialization process triggers the type confusion, enabling code execution [1].

Impact

Successful exploitation allows an attacker to execute arbitrary code on the local machine within the application's security context. This could lead to full compromise of the engineering workstation, theft of intellectual property, modification of project files, or further propagation within an industrial control system environment [1].

Mitigations

Siemens has released software updates for several affected products (e.g., V16 Update 7, V17 Update 7, V18 Update 2) and recommends updating to the latest versions. For products where a fix is not yet available, Siemens advises avoiding opening untrusted files from unknown sources in the affected applications. General security recommendations include protecting network access to devices and following Siemens operational guidelines for industrial security [1].