CISA issues alert on Festo Didactic products TIA-Portal vulnerability

Affected Festo Didactic equipment incorporating Siemens Totally Integrated Automation Portal (TIA Portal) software contains a vulnerability involving improper input validation that may lead to unauthorized file creation or overwriting and execution of arbitrary code.

The vulnerability identified as CVE-2023-26293 impacts Siemens TIA-Portal versions V15, V16, V17, and V18 installed on specific Festo hardware platforms including Manufacturing Execution System (MES) Process Control System (PCS) and TP260 devices. Specifically, Siemens TIA-Portal V15 prior to V17 Update 6 and V18 prior to V18 Update 1 versions are affected. The flaw is a path traversal vulnerability triggered when a user opens a malicious PC system configuration file, enabling arbitrary code execution without prior authorization. The associated Common Vulnerability Scoring System (CVSS) v3.1 base score is 7.8, with attack vector local, attack complexity low, no privileges required, user interaction required, unchanged scope, and high confidentiality, integrity, and availability impacts.

Exploitation of this vulnerability allows attackers to create or overwrite arbitrary files within the engineering system, which could facilitate arbitrary code execution. The vulnerability is not remotely exploitable and requires user interaction such as opening a crafted file.

Festo recommends updating affected TIA-Portal software as detailed in Siemens Service Security Advisory SSA-116924. Further information is available in Festo's security advisory FSA-202303. Users should refer to these advisories for specific update procedures.

CISA advises users to avoid engaging with unsolicited email attachments or links, referring to its guidance on email scams and social engineering attacks. The agency emphasizes performing thorough impact analysis and risk assessments before implementing defensive actions. Additional recommended controls and best practices for industrial control systems cybersecurity are accessible on the CISA website. Organizations are encouraged to report suspected malicious activity according to internal protocols and to submit findings to CISA for incident correlation.