OTPulse
FeedAboutContact

ICSA-20-098-05_KUKA.Sim Pro

Monitor4.3ICS-CERT ICSA-20-098-05Apr 7, 2020
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

CWE-924 vulnerability in KUKA.Sim Pro Version 3.1 allows an attacker to modify data and parameters in the simulation software. The vulnerability involves improper restriction of communication channels to intended endpoints. KUKA recommends upgrading to Version 3.1.2 or above. All previous versions (3.0 and earlier) have been discontinued and will not receive patches.

What this means
What could happen
An attacker could exploit this vulnerability to modify data or parameters in KUKA.Sim Pro simulation software, potentially corrupting robot programming or simulation results used for development and validation.
Who's at risk
Organizations using KUKA.Sim Pro Version 3.1 for robot programming, simulation, and validation should assess this risk. This affects design and engineering environments that use KUKA simulation software, particularly any systems where corrupted robot programs could impact production or safety validation.
How it could be exploited
An attacker with network access to a KUKA.Sim Pro installation could send a malicious request that exploits CWE-924 (improper restriction of communication channel to intended endpoints) to modify simulation parameters or project data. User interaction is required (the user must open a malicious file or click a link), making this a network-based attack that bypasses intended communication restrictions.
Prerequisites
  • Network access to the device running KUKA.Sim Pro
  • User interaction required (user must open a malicious file or click a malicious link)
  • KUKA.Sim Pro Version 3.1 or earlier installed
remotely exploitableno authentication requiredlow complexitysimulation software (not real-time control)user interaction required
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
.Sim Pro:3.13.1.2 or above
Remediation & Mitigation
0/4
Do now
0/2
HARDENINGEnsure KUKA.Sim Pro is not accessible from the Internet; restrict network access to authorized engineering workstations only
HARDENINGIsolate the network segment containing KUKA.Sim Pro from the business network using firewall rules
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade KUKA.Sim Pro to Version 3.1.2 or above
WORKAROUNDIf remote access to KUKA.Sim Pro is required, use a VPN with current security updates
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/3dec48cd-5d5d-4c74-badd-0e15db606d0a
ICSA-20-098-05_KUKA.Sim Pro | CVSS 4.3 - OTPulse