Siemens Industrial Products glibc Library Vulnerability (Update C)

Act Now8.1ICS-CERT ICSA-16-103-01CJan 14, 2016

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

A buffer overflow vulnerability (CWE-119) exists in the glibc library used by multiple Siemens industrial products. The vulnerability allows remote code execution with high complexity requirements. Affected products include ROX II (versions 2.3.0 through 2.9.0), APE (all Linux versions), SINEMA Remote Connect (versions before 1.2), SCALANCE M-800/S615 (versions before 4.02), and Basic RT V13 (versions before V13_SP1_Update_9). No vendor patches are currently available for any of these products.

What this means

What could happen

An attacker with network access could exploit a buffer overflow in the glibc library to execute arbitrary code on affected Siemens industrial devices, potentially gaining full system control and ability to modify process operations or shut down systems.

Who's at risk

Manufacturing facilities using Siemens industrial control systems, specifically operators of ROX II remote terminal units, APE Linux-based devices, SINEMA Remote Connect gateways, SCALANCE M-800/S615 industrial switches, and Basic RT V13 automation controllers. Any facility relying on these devices for process control, remote access, or network connectivity is affected.

How it could be exploited

An attacker on the network sends a specially crafted packet or request to a vulnerable Siemens device running the affected glibc library version. The buffer overflow in glibc allows the attacker to overwrite memory and execute arbitrary code with the privileges of the running process, which may be root or the control application.

Prerequisites

Network access to the affected Siemens device (typically internal network)
Device must be running one of the affected product versions with the vulnerable glibc library
No authentication required to trigger the vulnerability

remotely exploitableno authentication requiredhigh EPSS score (93.9%)no patch available for any affected productaffects industrial control systemsbuffer overflow in core libraryaffects multiple device types across different functions

Exploitability

High exploit probability (EPSS 93.9%)

Affected products (5)

5 EOL

ProductAffected VersionsFix Status

ROX II: >=V2.3.0|<=V2.9.0≥ V2.3.0|≤ V2.9.0No fix (EOL)

APE (Linux): vers:all/*All versionsNo fix (EOL)

SINEMA Remote Connect: <1.2<1.2No fix (EOL)

SCALANCE M-800/S615: <4.02<4.02No fix (EOL)

Basic RT V13: <V13_SP1_Update_9<V13 SP1 Update 9No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGIsolate or air-gap affected Siemens devices from the network where possible, especially ROX II, APE, SINEMA Remote Connect, SCALANCE M-800/S615, and Basic RT V13 systems

HARDENINGImplement network segmentation and firewall rules to restrict access to affected devices to only trusted engineering workstations and legitimate communication paths

WORKAROUNDMonitor affected devices for suspicious network traffic and unexpected process execution using IDS/IPS or host-based monitoring

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXContact Siemens for updated firmware or glibc patches if they become available; legacy products may not receive fixes

CVEs (1)

CVE-2015-7547

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ae66b439-eb2f-46e3-9438-4a2edb452f55