Insufficient Script Limitation in SIMATIC WinCC OA UI Affects Android and iOS
CVE-2018-4844

6.7MEDIUM

Key Information:

Vendor: Siemens
Status: Simatic Wincc Oa Ui For Android, Simatic Wincc Oa Ui For iOS
Vendor: CVE Published:; 20 March 2018

Summary

A vulnerability exists in the SIMATIC WinCC OA UI for Android and iOS, where insufficient limitations on CONTROL script capabilities may lead to unauthorized read and write access between project cache folders. This risk emerges when a user unwittingly connects to a malicious WinCC OA server, allowing attackers to manipulate app data on the mobile device if they obtain user interaction. The issue affects all versions earlier than V3.15.10, but as of the advisory's release, no public exploits are recorded. Mitigations have been provided by Siemens to address this security concern.

Affected Version(s)

SIMATIC WinCC OA UI for Android, SIMATIC WinCC OA UI for iOS SIMATIC WinCC OA UI for Android : All versions < V3.15.10 < SIMATIC WinCC OA UI for Android : All versions V3.15.10

SIMATIC WinCC OA UI for Android, SIMATIC WinCC OA UI for iOS SIMATIC WinCC OA UI for iOS : All versions < V3.15.10 < SIMATIC WinCC OA UI for iOS : All versions V3.15.10

References

https://cert-portal.siemens.com/productcert/pdf/ssa-82292...

x_refsource_CONFIRM

http://www.securityfocus.com/bid/103475

vdb-entryx_refsource_BID

CVSS V3.1

Score:

6.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Adjacent Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Mar 20, 2018
Vulnerability Reserved
Jan 2, 2018