VDB

GCVE-110-CERTCC-2021-466044

GCVE-110-CERTCC-2021-466044
Advisory Published
Vulnetix · Advisory published February 9, 2021
### Overview Siemens Totally Integrated Administrator (TIA) fails to properly set the module search path to be used by a privileged Node.js component, which can allow an unprivileged Windows user to run arbitrary code with SYSTEM privileges. The PCS neo administration console is reported to be affected as well. ### Description Siemens TIA runs a privileged Node.js component. The Node.js server fails to properly set the module search path. Because of this, Node.js will look for modules in the `C:\node_modules\` directory when the server is started. Because unprivileged Windows users can create subdirectories off of the system root, a user can create this directory and place a specially-crafted `.js` file in it to achieve arbitrary code execution with SYSTEM privileges when the server starts. ### Impact By placing a specially-crafted JS file in the `C:\node_modules\` directory, an unprivileged user may be able to execute arbitrary code with SYSTEM privileges on a Windows system with the vulnerable Siemens TIA or PCS neo administration console software installed. ### Solution #### Apply an update This issue is addressed in TIA Administrator [V1.0 SP2 Upd2](https://support.industry.siemens.com/cs/ww/en/view/114358/). PCS neo administration console users should apply the mitigations described in [Industrial Security in SIMATIC PCS neo](https://support.industry.siemens.com/cs/ww/en/view/109771524). For more details see Siemens Security Advisory [SSA-428051](https://cert-portal.siemens.com/productcert/pdf/ssa-428051.pdf). ### Acknowledgements This vulnerability was reported by Will Dormann of the CERT/CC. This document was written by Will Dormann.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›