Siemens Embedded TCP/IP Stack Vulnerabilities-AMNESIA:33 (Update C)

Monitor6.5ICS-CERT ICSA-20-343-05Dec 8, 2020

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

CVE-2020-13988 is an integer overflow vulnerability in the embedded TCP/IP stack (AMNESIA:33) used by several Siemens industrial devices. This vulnerability can cause a denial of service condition, preventing the affected device from functioning properly. The vulnerability exists in the TCP/IP stack implementation shared across multiple SENTRON power monitoring and metering devices and SIRIUS soft starter communication modules.

What this means

What could happen

An attacker on the local network could send specially crafted network packets to cause the device to stop responding, interrupting power monitoring, load control, or process communication until the device is manually restarted.

Who's at risk

Water and utility operators using Siemens SENTRON power monitoring devices (3VA COM, 3VA DSP, PAC2200, PAC3200, PAC3200T, PAC4200) or SIRIUS soft starter communication modules should be aware of this vulnerability. These devices measure power consumption, manage electrical loads, and control soft starters in motors and pumps. A denial of service attack would prevent proper monitoring of critical infrastructure.

How it could be exploited

An attacker with access to the local network (LAN) sends malformed TCP/IP packets containing an integer overflow to the device. The vulnerable TCP/IP stack processes these packets and crashes, causing the device to become unresponsive and stop providing monitoring or control functions.

Prerequisites

Local network access to the affected device (LAN only, not remotely exploitable)
No authentication or credentials required
Attacker must be able to send network packets to the device

No authentication requiredLow complexity attackLocal network only (not internet-facing)Denial of service impact on industrial operationsAffects power monitoring and process control devices

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (7)

7 with fix

ProductAffected VersionsFix Status

SENTRON 3VA COM100/800<V4.24.2

SENTRON 3VA DSP800<V2.02.0

SENTRON PAC2200 (without MID Approval)<V3.0.53.0.5

SENTRON PAC3200<V2.4.52.4.5

SENTRON PAC3200T<V3.0.53.0.5

SENTRON PAC4200<V2.0.12.0.1

SIRIUS 3RW5 communication module Modbus TCP<V1.1.11.1.1

Remediation & Mitigation

0/10

Do now

0/1

WORKAROUNDImplement network firewall rules to restrict access to industrial devices and block untrusted traffic to monitoring and control device ports

Schedule — requires maintenance window

0/7

Patching may require device reboot — plan for process interruption

SENTRON 3VA COM100/800

HOTFIXUpdate SENTRON 3VA COM100/800 to firmware version 4.2 or later

SENTRON 3VA DSP800

HOTFIXUpdate SENTRON 3VA DSP800 to firmware version 2.0 or later

SENTRON PAC2200 (without MID Approval)

HOTFIXUpdate SENTRON PAC2200 (without MID Approval) to firmware version 3.0.5 or later

SENTRON PAC3200

HOTFIXUpdate SENTRON PAC3200 to firmware version 2.4.5 or later

HOTFIXUpdate SENTRON PAC3200T to firmware version 3.0.5 or later

SENTRON PAC4200

HOTFIXUpdate SENTRON PAC4200 to firmware version 2.0.1 or later

SIRIUS 3RW5 communication module Modbus TCP

HOTFIXUpdate SIRIUS 3RW5 communication module Modbus TCP to firmware version 1.1.1 or later

Long-term hardening

0/2

HARDENINGSegment the industrial control network from the business network to limit lateral movement from compromised IT systems

HARDENINGEnsure affected devices are not directly accessible from the Internet; disable remote access or use VPN with additional authentication if remote access is required

CVEs (1)

CVE-2020-13988

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close