OTPulse
FeedAboutContact

Siemens TCP/IP Stack Vulnerabilities-AMNESIA:33 in SENTRON PAC / 3VA Devices (Update C)

Monitor6.5ICS-CERT ICSA-21-068-06Mar 9, 2021
Attack VectorAdjacent
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Siemens SENTRON power monitoring and distribution devices contain memory safety vulnerabilities (CVE-2020-13987, CVE-2020-17437) in embedded TCP/IP stacks, collectively known as AMNESIA:33. These vulnerabilities can be triggered by malformed TCP/IP packets sent from the same Modbus TCP network segment, causing device crashes or reboots. Affected products include SENTRON 3VA COM100/800, 3VA DSP800, PAC2200, PAC3200, PAC3200T, PAC3220, and PAC4200 series with various version thresholds. Some PAC2200 variants with CLP Approval and MID Approval have no fix available; PAC2200 without MID Approval and other models have firmware updates available.

What this means
What could happen
An attacker on the same Modbus TCP network segment could cause a denial of service condition (such as device reboot or process interruption) on SENTRON power monitoring and distribution devices. No authentication is required.
Who's at risk
Power utilities and industrial facilities using Siemens SENTRON power monitoring and distribution devices (3VA COM100/800, 3VA DSP800, PAC2200, PAC3200, PAC3200T, PAC3220, PAC4200 series). These devices monitor and manage electrical distribution; a denial of service could interrupt visibility into power distribution or cause devices to reset during critical operations.
How it could be exploited
An attacker must be connected to the same local Modbus TCP network segment as a vulnerable SENTRON device. They can craft malformed TCP/IP packets that trigger memory safety violations in the embedded TCP/IP stack, causing the device to crash or reboot and interrupt power monitoring or distribution operations.
Prerequisites
  • Attacker must be on the same Modbus TCP network segment as the target device
  • No authentication required
  • No special credentials needed
  • Device must be running a vulnerable firmware version
Low complexity exploitationNo authentication requiredLocal network access only (not remotely exploitable from Internet)Part of AMNESIA:33 publicly disclosed vulnerability setAffects industrial power monitoring and distributionSome product variants have no patch available
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (9)
7 with fix2 EOL
ProductAffected VersionsFix Status
SENTRON 3VA COM100/800<V4.4.14.4.1
SENTRON PAC3200<V2.4.72.4.7
SENTRON PAC4200<V2.3.02.3.0
SENTRON 3VA DSP800<V4.04.0
SENTRON PAC2200 (without MID Approval)<V3.2.23.2.2
SENTRON PAC3200T<V3.2.23.2.2
SENTRON PAC3220<V3.2.03.2.0
SENTRON PAC2200 (with CLP Approval)All versionsNo fix (EOL)
Remediation & Mitigation
0/10
Do now
0/1
WORKAROUNDRestrict access to the Modbus TCP network segment to only trusted systems and personnel; implement network access controls to prevent unauthorized devices from joining the segment
Schedule — requires maintenance window
0/7

Patching may require device reboot — plan for process interruption

SENTRON 3VA COM100/800
HOTFIXUpdate SENTRON 3VA COM100/800 to firmware version 4.4.1 or later
SENTRON 3VA DSP800
HOTFIXUpdate SENTRON 3VA DSP800 to firmware version 4.0 or later
SENTRON PAC3200
HOTFIXUpdate SENTRON PAC3200 to firmware version 2.4.7 or later
HOTFIXUpdate SENTRON PAC3200T to firmware version 3.2.2 or later
SENTRON PAC3220
HOTFIXUpdate SENTRON PAC3220 to firmware version 3.2.0 or later
SENTRON PAC4200
HOTFIXUpdate SENTRON PAC4200 to firmware version 2.3.0 or later
All products
HOTFIXUpdate SENTRON PAC2200 to firmware version 3.2.2 or later (contact Siemens customer support for latest firmware)
Mitigations - no patch available
0/2
The following products have reached End of Life with no planned fix: SENTRON PAC2200 (with CLP Approval), SENTRON PAC2200 (with MID Approval). Apply the following compensating controls:
HARDENINGSegment the SENTRON device network from the business network using firewalls; do not expose to the Internet
HARDENINGConfigure the network environment according to Siemens operational guidelines for industrial security as documented in product manuals
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/e8d84b19-03ca-4e4d-b0d1-3496933eacdf