Siemens TCP/IP Stack Vulnerabilities-AMNESIA:33 in SENTRON PAC / 3VA Devices (Update C)

MonitorCVSS 6.5ICS-CERT ICSA-21-068-06Mar 9, 2021

Siemens

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Siemens SENTRON power monitoring and distribution devices contain memory safety vulnerabilities (CVE-2020-13987, CVE-2020-17437) in embedded TCP/IP stacks, collectively known as AMNESIA:33. These vulnerabilities can be triggered by malformed TCP/IP packets sent from the same Modbus TCP network segment, causing device crashes or reboots. Affected products include SENTRON 3VA COM100/800, 3VA DSP800, PAC2200, PAC3200, PAC3200T, PAC3220, and PAC4200 series with various version thresholds. Some PAC2200 variants with CLP Approval and MID Approval have no fix available; PAC2200 without MID Approval and other models have firmware updates available.

What this means

What could happen

An attacker on the same Modbus TCP network segment could cause a denial of service condition (such as device reboot or process interruption) on SENTRON power monitoring and distribution devices. No authentication is required.

Who's at risk

Power utilities and industrial facilities using Siemens SENTRON power monitoring and distribution devices (3VA COM100/800, 3VA DSP800, PAC2200, PAC3200, PAC3200T, PAC3220, PAC4200 series). These devices monitor and manage electrical distribution; a denial of service could interrupt visibility into power distribution or cause devices to reset during critical operations.

How it could be exploited

An attacker must be connected to the same local Modbus TCP network segment as a vulnerable SENTRON device. They can craft malformed TCP/IP packets that trigger memory safety violations in the embedded TCP/IP stack, causing the device to crash or reboot and interrupt power monitoring or distribution operations.

Prerequisites

Attacker must be on the same Modbus TCP network segment as the target device
No authentication required
No special credentials needed
Device must be running a vulnerable firmware version

Low complexity exploitationNo authentication requiredLocal network access only (not remotely exploitable from Internet)Part of AMNESIA:33 publicly disclosed vulnerability setAffects industrial power monitoring and distributionSome product variants have no patch available

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (9)

7 with fix2 EOL

ProductAffected VersionsFix Status

SENTRON 3VA COM100/800<V4.4.14.4.1

SENTRON PAC3200<V2.4.72.4.7

SENTRON PAC4200<V2.3.02.3.0

SENTRON 3VA DSP800<V4.04.0

SENTRON PAC2200 (without MID Approval)<V3.2.23.2.2

SENTRON PAC3200T<V3.2.23.2.2

SENTRON PAC3220<V3.2.03.2.0

SENTRON PAC2200 (with CLP Approval)All versionsNo fix (EOL)

Remediation & Mitigation

0/10

Do now

0/1

WORKAROUNDRestrict access to the Modbus TCP network segment to only trusted systems and personnel; implement network access controls to prevent unauthorized devices from joining the segment

Schedule — requires maintenance window

0/7

Patching may require device reboot — plan for process interruption

SENTRON 3VA COM100/800

HOTFIXUpdate SENTRON 3VA COM100/800 to firmware version 4.4.1 or later

SENTRON 3VA DSP800

HOTFIXUpdate SENTRON 3VA DSP800 to firmware version 4.0 or later

SENTRON PAC3200

HOTFIXUpdate SENTRON PAC3200 to firmware version 2.4.7 or later

HOTFIXUpdate SENTRON PAC3200T to firmware version 3.2.2 or later

SENTRON PAC3220

HOTFIXUpdate SENTRON PAC3220 to firmware version 3.2.0 or later

SENTRON PAC4200

HOTFIXUpdate SENTRON PAC4200 to firmware version 2.3.0 or later

All products

HOTFIXUpdate SENTRON PAC2200 to firmware version 3.2.2 or later (contact Siemens customer support for latest firmware)

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: SENTRON PAC2200 (with CLP Approval), SENTRON PAC2200 (with MID Approval). Apply the following compensating controls:

HARDENINGSegment the SENTRON device network from the business network using firewalls; do not expose to the Internet

HARDENINGConfigure the network environment according to Siemens operational guidelines for industrial security as documented in product manuals

CVEs (2)

CVE-2020-13987 CVE-2020-17437

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e8d84b19-03ca-4e4d-b0d1-3496933eacdf

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.