ICSA-18-345-02 Siemens SINUMERIK Controllers (Update A)

Act NowCVSS 10ICS-CERT ICSA-18-345-02Dec 11, 2018

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple buffer overflow and memory handling vulnerabilities in Siemens SINUMERIK controller firmware allow remote code execution without authentication. The vulnerabilities exist in the service daemon listening on default ports 4842/TCP and 5900/TCP. Exploitation could allow an attacker to gain full system control of the CNC controller. Affected versions: SINUMERIK 808D v4.7 and v4.8 (prior to v4.91), SINUMERIK 828D v4.7 (prior to v4.7 SP6 HF1), SINUMERIK 840D sl v4.7 (prior to v4.7 SP6 HF5), and SINUMERIK 840D sl v4.8 (prior to v4.8 SP3).

What this means

What could happen

An attacker with network access to a SINUMERIK controller could execute arbitrary code with full system privileges, potentially altering machine tool operations, disabling safety systems, or corrupting production programs. The CVSS score of 10 (critical) reflects the severity of unrestricted remote code execution on industrial machinery.

Who's at risk

Machine shops, job shops, manufacturing facilities, and OEMs operating Siemens SINUMERIK CNC controllers for machining centers and multi-axis lathes. This affects any site using SINUMERIK 808D, 828D, or 840D sl controllers for production operations where loss of control or malicious code execution could halt production or compromise part quality and safety.

How it could be exploited

An attacker on the network can send a specially crafted packet to the affected SINUMERIK controller on its default service ports (4842/TCP or 5900/TCP) without credentials. The vulnerability allows the attacker to bypass memory protections and execute arbitrary code directly on the controller, gaining full control of the machine tool.

Prerequisites

Network access to the SINUMERIK controller on ports 4842/TCP or 5900/TCP
No authentication required
Controller must be running an affected firmware version

remotely exploitableno authentication requiredlow complexityhigh CVSS score (10/10)high EPSS score (10.5%)affects safety systemsno patch available for some versionsdefault service ports exposed

Exploitability

Likely to be exploited — EPSS score 10.5%

Affected products (5)

5 with fix

ProductAffected VersionsFix Status

SINUMERIK 808D V4.7<V4.914.91

SINUMERIK 808D V4.8<V4.914.91

SINUMERIK 828D V4.7<V4.7 SP6 HF14.7 SP6 HF1

SINUMERIK 840D sl V4.7<V4.7 SP6 HF54.7 SP6 HF5

SINUMERIK 840D sl V4.8<V4.8 SP34.8 SP3

Remediation & Mitigation

0/8

Do now

0/2

WORKAROUNDBlock inbound traffic to ports 4842/TCP and 5900/TCP on the network interface (Port X130) at the firewall or network switch

HARDENINGRestrict administrative access to the controller to authorized engineering personnel only

Schedule — requires maintenance window

0/6

Patching may require device reboot — plan for process interruption

SINUMERIK 828D V4.7

HOTFIXUpdate SINUMERIK 828D v4.7 to version 4.7 SP6 HF1

SINUMERIK 840D sl V4.7

HOTFIXUpdate SINUMERIK 840D sl v4.7 to version 4.7 SP6 HF5

SINUMERIK 840D sl V4.8

HOTFIXUpdate SINUMERIK 840D sl v4.8 to version 4.8 SP3

All products

HOTFIXUpdate SINUMERIK 808D to firmware version 4.91 or later

HARDENINGSegment SINUMERIK controllers from the business network and place behind firewalls; isolate cells with restricted network access

HARDENINGImplement VPN encryption for any remote access to SINUMERIK controllers for maintenance or diagnostics

CVEs (10)

CVE-2018-11457 CVE-2018-11458 CVE-2018-11459 CVE-2018-11460 CVE-2018-11461 CVE-2018-11462 CVE-2018-11463 CVE-2018-11464 CVE-2018-11465 CVE-2018-11466

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b9665e9a-a6f2-492a-8386-3e33086fe114

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.