VDB
GCVE-110-CERTCC-2021-466044
GCVE-110-CERTCC-2021-466044
Advisory Published
### Overview
Siemens Totally Integrated Administrator (TIA) fails to properly set the module search path to be used by a privileged Node.js component, which can allow an unprivileged Windows user to run arbitrary code with SYSTEM privileges. The PCS neo administration console is reported to be affected as well.
### Description
Siemens TIA runs a privileged Node.js component. The Node.js server fails to properly set the module search path. Because of this, Node.js will look for modules in the `C:\node_modules\` directory when the server is started. Because unprivileged Windows users can create subdirectories off of the system root, a user can create this directory and place a specially-crafted `.js` file in it to achieve arbitrary code execution with SYSTEM privileges when the server starts.
### Impact
By placing a specially-crafted JS file in the `C:\node_modules\` directory, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable Siemens TIA or PCS neo administration console software installed.
### Solution
#### Apply an update
This issue is addressed in TIA Administrator [V1.0 SP2 Upd2](https://support.industry.siemens.com/cs/ww/en/view/114358/). PCS neo administration console users should apply the mitigations described in [Industrial Security in SIMATIC PCS neo](https://support.industry.siemens.com/cs/ww/en/view/109771524).
For more details see Siemens Security Advisory [SSA-428051](https://cert-portal.siemens.com/productcert/pdf/ssa-428051.pdf).
### Acknowledgements
This vulnerability was reported by Will Dormann of the CERT/CC.
This document was written by Will Dormann.
Aliases
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.