OTPulse
FeedAboutContact

Siemens CP 1604 and CP 1616 Improper Access Control

Low RiskICS-CERT ICSA-13-084-01Dec 27, 2013
Summary

The Siemens CP 1604 and CP 1616 communication processors contain improper access control. These devices fail to enforce authentication on management and S7 protocol interfaces, allowing unauthenticated remote users to access device configuration, modify settings, or trigger operational changes on the host SIMATIC IPC. The vulnerability affects CP 1604/1604 Microbox packages and CP 1604/1616 onboard cards in SIMATIC IPCs running firmware versions earlier than 2.5.2.

What this means
What could happen
An attacker with network access to the CP 1604 or CP 1616 communication processor could bypass authentication controls and gain unauthorized access to configure or manipulate SIMATIC industrial PCs, potentially disrupting plant operations or altering process parameters.
Who's at risk
Water authorities and electric utilities using SIMATIC industrial PCs with CP 1604 or CP 1616 communication processors (embedded or onboard card versions). These devices are commonly used in HMI/SCADA systems, process control racks, and distributed I/O hubs. Affects both legacy microbox packages and modern IPC configurations.
How it could be exploited
An attacker on the network sends unauthenticated commands to the CP 1604/1616 communication processor on port 102 (S7 protocol) or management interfaces. The device fails to enforce proper access controls, allowing the attacker to read/write device configuration without credentials, then trigger PLC reboot, configuration changes, or stop industrial processes running on the host SIMATIC IPC.
Prerequisites
  • Network access to the CP 1604 or CP 1616 communication processor
  • Device running firmware version earlier than 2.5.2
  • CP 1604/1616 must be installed in or connected to the SIMATIC IPC
remotely exploitableno authentication requiredno patch availableimproper access control
Exploitability
Moderate exploit probability (EPSS 2.1%)
Affected products (2)
1 pending1 EOL
ProductAffected VersionsFix Status
CP 1604 and CP 1616 Onboard card of SIMANTIC IPCs: <2.5.2<2.5.2No fix yet
CP 1604 and CP 1604 Microbox package: <2.5.2<2.5.2No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2
WORKAROUNDImplement network-level access controls (firewall rules) to block inbound S7 communication (port 102) to CP 1604/1616 from untrusted network segments.
WORKAROUNDDisable remote management interfaces on the CP 1604/1616 if not actively used for engineering.
Mitigations - no patch available
0/2
CP 1604 and CP 1604 Microbox package: <2.5.2 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGSegment the network to restrict access to CP 1604/1616 devices. Place industrial PCs and communication processors on isolated VLAN with firewall rules that only allow authorized engineering workstations and SCADA servers to communicate with them.
HARDENINGMonitor network traffic to the CP 1604/1616 for unauthorized access attempts using IDS/IPS rules for S7 protocol anomalies.
View full CISA ICS-CERT advisory
โ†‘โ†“ Navigate ยท Esc Close
API: /api/v1/advisories/ad6bfb84-8d33-4141-9ffb-1880f82dc26d