Siemens SIMATIC Communication Processor Vulnerability (Update C)
Plan PatchCVSS 9.8ICS-CERT ICSA-15-335-03Nov 27, 2015
Siemens
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
SIMATIC CP and TIM devices contain an authentication bypass vulnerability that allows unauthenticated network users to perform administrative operations on the device. The vulnerability affects multiple Communication Processor and Ethernet module product families used in industrial control networks. Siemens has released firmware updates for CP 343-1, CP 443-1, and TIM 3V-IE/TIM 4R-IE families. Several product variants (CP 342-5, CP 443-5 Basic/Extended) have no available fix and require network-based compensating controls.
What this means
What could happen
An attacker with network access to a SIMATIC CP or TIM device could bypass authentication and perform administrative operations, potentially altering communication settings, stopping data flow, or reconfiguring the device without valid credentials.
Who's at risk
Siemens SIMATIC CP (Communication Processor) and TIM (Industrial Ethernet modules) devices used in water treatment plants, electrical substations, and manufacturing facilities for network-based data communication. Affects models CP 342-5, CP 343-1, CP 443-1, CP 443-5, and TIM 3V-IE and TIM 4R-IE variants across standard, advanced, and lean configurations.
How it could be exploited
An attacker sends specially crafted network traffic to the device's administrative interface without providing credentials. The device fails to properly verify the attacker's identity and grants access to sensitive functions. This allows the attacker to change device configuration, disable communication, or redirect traffic.
Prerequisites
- Network access (Layer 3) to the CP or TIM device on its management port
- Device must be running an affected firmware version
- No user credentials required
Remotely exploitableNo authentication requiredLow complexityHigh CVSS score (9.8)No patch available for CP 342-5, CP 342-5 FO, CP 443-5 Basic, CP 443-5 Extended, and SIPLUS NET CP 342-5 variants
Exploitability
Some exploitation risk — EPSS score 2.9%
Affected products (25)
19 with fix6 pending
ProductAffected VersionsFix Status
SIMATIC CP 342-5All versionsNo fix yet
SIMATIC CP 342-5 FOAll versionsNo fix yet
SIMATIC CP 343-1< V3.1.13.1.1
SIMATIC CP 343-1 Advanced< V3.0.443.0.44
SIMATIC CP 343-1 Lean< V3.1.13.1.1
Remediation & Mitigation
0/12
Do now
0/1WORKAROUNDFor CP 342-5, CP 342-5 FO, CP 443-5 Basic, and CP 443-5 Extended models with no available fixes: restrict network access to the device using firewall rules or access control lists; allow only trusted engineering workstations and SCADA networks to reach the device's administrative ports
Schedule — requires maintenance window
0/9Patching may require device reboot — plan for process interruption
SIMATIC CP 343-1
HOTFIXUpdate SIMATIC CP 343-1 to firmware version 3.1.1 or later
HOTFIXUpdate SIMATIC CP 343-1 Advanced to firmware version 3.0.44 or later
HOTFIXUpdate SIMATIC CP 343-1 Lean to firmware version 3.1.1 or later
SIMATIC CP 443-1
HOTFIXUpdate SIMATIC CP 443-1 to firmware version 3.2.9 or later
HOTFIXUpdate SIMATIC CP 443-1 Advanced to firmware version 3.2.9 or later
TIM 3V-IE DNP3
HOTFIXUpdate TIM 3V-IE DNP3 to firmware version 3.1 or later
TIM 4R-IE DNP3
HOTFIXUpdate TIM 4R-IE DNP3 to firmware version 3.1 or later
All products
HOTFIXUpdate TIM 3V-IE and TIM 3V-IE Advanced to firmware version 2.6 or later
HOTFIXUpdate TIM 4R-IE to firmware version 2.6 or later
Long-term hardening
0/2HARDENINGIsolate CP and TIM devices from the Internet and business network; place them behind firewalls and on a separate industrial network segment
HARDENINGIf remote access to CP or TIM devices is required, use a VPN or jump server and restrict access to named users; avoid exposing devices directly to untrusted networks
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/30775b12-477d-4124-af4c-f9a4ec5fd900Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.