Siemens Industrial Products SNMP (Update F)
Act Now7.5ICS-CERT ICSA-20-042-02Feb 11, 2020
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Several Siemens industrial network devices are vulnerable to a denial of service attack via specially crafted packets sent to port 161/UDP (SNMP). The vulnerability affects IE/PB link PN IO, SCALANCE S-series switches, SIMATIC CP communication modules, and TIM 1531 IRC modules. An attacker sending malformed SNMP packets could crash the SNMP service on affected devices, causing them to become unreachable.
What this means
What could happen
An attacker could crash the SNMP service on your industrial network switches and communication modules by sending specially crafted packets, rendering them unreachable and disrupting network connectivity to PLCs and field devices. This could halt production or disrupt critical infrastructure operations depending on network architecture.
Who's at risk
Manufacturing facilities operating Siemens industrial network equipment should be concerned. This affects network switches (SCALANCE S-series) and communication modules (SIMATIC CP, TIM) used to connect PLCs and field devices to control systems. Any facility with these devices on an accessible network is at risk of losing network connectivity to critical equipment.
How it could be exploited
An attacker on the network sends malformed SNMP packets to port 161/UDP on a vulnerable device. The device processes the packet incorrectly, triggering a null pointer dereference or invalid memory access that crashes the SNMP service. The device becomes unreachable, disrupting network communication until manually rebooted.
Prerequisites
- Network access to UDP port 161 on the affected device
- No credentials or authentication required
- Ability to send UDP packets to the device
Remotely exploitableNo authentication requiredLow complexity attackAffects network connectivity in manufacturing environmentsHigh EPSS score (17.8%)No patch available for several products
Exploitability
High exploit probability (EPSS 17.8%)
Affected products (18)
11 with fix7 EOL
ProductAffected VersionsFix Status
SCALANCE S602<V4.1No fix (EOL)
SCALANCE S627-2M<V4.1No fix (EOL)
SIMATIC CP 1623 (6GK1162-3AA00)<V14.00.15.00 51.25.00.0114.00.15.00_51.25.00.01 (via SIMATIC NET PC Software v14 Update 14 or v16)
SIMATIC CP 343-1 AdvancedAll versionsNo fix (EOL)
IE/PB link PN IO (6GK1411-5AB10)<V4.0.14.0.1
Remediation & Mitigation
0/12
Do now
0/2WORKAROUNDDisable SNMP on affected devices if supported and not required for operations (refer to product documentation)
WORKAROUNDRestrict network access to UDP port 161 on affected devices using firewall rules or network segmentation
Schedule — requires maintenance window
0/8Patching may require device reboot — plan for process interruption
SIMATIC CP 443-1
HOTFIXUpdate SIMATIC CP 443-1 and SIMATIC CP 443-1 Advanced to firmware version 3.3 or later
SIPLUS NET CP 443-1
HOTFIXUpdate SIPLUS NET CP 443-1 and SIPLUS NET CP 443-1 Advanced to firmware version 3.3 or later
SIPLUS NET IE/PB link PN IO
HOTFIXUpdate SIPLUS NET IE/PB link PN IO to firmware version 4.0.1 or later
TIM 1531 IRC
HOTFIXUpdate TIM 1531 IRC and SIPLUS NET TIM 1531 IRC to firmware version 2.0 or later
SCALANCE S602
HOTFIXContact Siemens Support for updated firmware for SCALANCE S602, S612, S623, and S627-2M (version 4.1), or plan hardware upgrade to SCALANCE SC-600 family successor products
All products
HOTFIXUpdate IE/PB link PN IO to firmware version 4.0.1 or later
HOTFIXUpdate SIMATIC CP 1626 to firmware version 1.1.1 or later
HOTFIXUpdate SIMATIC NET CP 1623 to SIMATIC NET PC Software v14 Update 14 or later, or v16 or later
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: SCALANCE S602, SCALANCE S627-2M, SIMATIC CP 343-1 Advanced, SCALANCE S612, SCALANCE S623, SIMATIC CP 1628 (6GK1162-8AA00), SIPLUS NET CP 343-1 Advanced. Apply the following compensating controls:
HARDENINGImplement cell protection concept and defense-in-depth network architecture to limit attacker access to industrial network segments
HARDENINGUse VPN to protect network communication between network cells and control system segments
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/9c3a4813-952d-4d62-bcaa-3806ee212fa9