ICSA-19-253-03_Siemens Industrial Products (Update P)

Act NowCVSS 7.5ICS-CERT ICSA-19-253-03Sep 10, 2019

SiemensManufacturingTransportation

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

This vulnerability (CWE-400) affects a large range of Siemens industrial communication and control products. Successful exploitation can cause denial-of-service conditions on affected devices, potentially disrupting manufacturing processes or utility operations. The vulnerability is exploitable remotely via network access with no authentication required. The flaw impacts SIMATIC ITC series controllers, SCALANCE network infrastructure (switches, routers, wireless access points), SIMATIC communication processor modules, SINUMERIK machine tool controllers, RUGGEDCOM industrial network devices, and SIMATIC RFID readers.

What this means

What could happen

Successful exploitation could cause denial-of-service on affected Siemens industrial devices, potentially interrupting manufacturing or utility operations that depend on these network communication modules or controllers.

Who's at risk

This advisory affects manufacturing and transportation facilities using Siemens industrial communication and control devices. Specifically, IT managers at plants and utilities should inventory: SIMATIC ITC series (ITC1500, ITC1900, ITC2200 models), SCALANCE network switches and routers (M-series, S-series, W-series, SC-series), SIMATIC communication processors (CP 442/443/1242/1243/1542/1543/1623/1628), SINUMERIK machine controllers, RUGGEDCOM industrial network devices, and SIMATIC RFID readers. The ITC2200 PRO product line has no patch available.

How it could be exploited

An attacker on the network can send specially crafted network traffic to affected devices without authentication, causing them to consume excessive resources or crash. The attack vector is network-based with no user interaction required, making it exploitable from any connected network segment.

Prerequisites

Network access to the affected device (IP reachability)
Device must be connected to a network and accessible from the attacker's network segment
No credentials or special configuration required

Remotely exploitable over networkNo authentication requiredLow attack complexityHigh EPSS score (74.6%)No vendor fix for SIMATIC ITC2200 PROAffects industrial control and communication infrastructure

Exploitability

Likely to be exploited — EPSS score 69.9%

Public Proof-of-Concept (PoC) on GitHub (1 repository)

Affected products (110)

89 with fix21 pending

ProductAffected VersionsFix Status

TIM 1531 IRC< V2.12.1

TIM 3V-IE (incl. SIPLUS NET variants)All versionsNo fix yet

TIM 3V-IE Advanced (incl. SIPLUS NET variants)All versionsNo fix yet

TIM 3V-IE DNP3 (incl. SIPLUS NET variants)All versionsNo fix yet

TIM 4R-IE (incl. SIPLUS NET variants)All versionsNo fix yet

Remediation & Mitigation

0/12

Do now

0/2

SIMATIC ITC2200

WORKAROUNDFor SIMATIC ITC2200 PRO: no vendor fix is available; implement network access restrictions and defense-in-depth controls

All products

HARDENINGRestrict network access to all affected devices; limit which network segments and hosts can reach these devices

Schedule — requires maintenance window

0/9

Patching may require device reboot — plan for process interruption

SIMATIC ITC1500

HOTFIXUpdate SIMATIC ITC1500, ITC1500 PRO, ITC1900, ITC1900 PRO, ITC2200, and ITC2200 PRO to v3.1.1.0 or later

SINUMERIK 808D

HOTFIXUpdate SINUMERIK 808D to v4.92 and SINUMERIK 828D/840D sl to v4.8 SP5

SINEMA Remote Connect Server

HOTFIXUpdate SINEMA Remote Connect Server to v2.1

RUGGEDCOM RX1400 VPE Debian Linux

HOTFIXApply latest available Debian patches to RUGGEDCOM APE 1404 Linux and RUGGEDCOM RX1400 VPE Debian Linux devices

All products

HOTFIXUpdate all SCALANCE M-series and S-series network devices to versions specified in advisory (v6.2, v4.1, v2.0.1, etc.)

HOTFIXUpdate all SIMATIC CP communication processors (CP 442-1 RNA, CP 443-1 RNA, CP 1242-7C, CP 1243 series, CP 1542SP series, CP 1543 series, CP 1623, CP 1628) to versions specified in advisory

HOTFIXUpdate SIMATIC MV540/550/560 series to v2.1 or later

HOTFIXUpdate SIMATIC Reader RF610R/615R/650R/680R/685R series to v4.0 or later

HOTFIXMigrate SIMATIC Teleservice Adapters (IE Basic, IE Advanced) to SCALANCE M-800 family successor products

Long-term hardening

0/1

HARDENINGApply defense-in-depth security controls such as network segmentation, firewalls, and monitoring

CVEs (4)

CVE-2019-8460 CVE-2019-11477 CVE-2019-11478 CVE-2019-11479

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ad143134-77e3-4a4f-a80d-a2a40b570c96

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.