Siemens SCALANCE and SIMATIC libcurl (Update B)

Act Now8.3ICS-CERT ICSA-21-068-10Apr 9, 2019

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Siemens SINEMA Remote Connect Client and Server, as well as SCALANCE SC600 and SIMATIC NET CM 1542-1 devices, contain multiple libcurl vulnerabilities (CWE-131, CWE-125, CWE-121, CWE-280) including buffer overflows and out-of-bounds memory access. An attacker with valid credentials and network access could exploit these flaws to execute arbitrary code on the affected device. The vulnerabilities are particularly relevant to the SMTP Client functionality on SCALANCE and SIMATIC devices, which can be disabled to reduce risk.

What this means

What could happen

An attacker with network access and valid credentials could exploit libcurl vulnerabilities in SINEMA Remote Connect or SCALANCE/SIMATIC devices to execute arbitrary code, potentially allowing them to modify network configuration, intercept SMTP traffic, or disrupt remote management capabilities.

Who's at risk

Water utilities and electric facilities using Siemens SINEMA Remote Connect for remote management of SCALANCE network switches or SIMATIC NET devices. System administrators and engineering staff who use the Remote Connect Client to access field devices over the network are at risk.

How it could be exploited

An attacker on the network with valid user credentials could send a specially crafted request to the affected SINEMA or SCALANCE device that exploits memory corruption flaws in the embedded libcurl library, causing the application to execute arbitrary commands. The vulnerability requires the SMTP Client function to be enabled on the target device.

Prerequisites

Valid user credentials for SINEMA Remote Connect Client or Server
Network access to the affected device on its management port
SMTP Client function enabled on the target device (for SCALANCE/SIMATIC products)
Authentication required; not exploitable anonymously

Remotely exploitableValid credentials required (elevated complexity)Memory corruption vulnerabilities (buffer overflow, out-of-bounds read)High CVSS score (8.3)Elevated exploit probability (16.6% EPSS)Affects remote management infrastructure

Exploitability

High exploit probability (EPSS 16.6%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

SINEMA Remote Connect Client: All<V2.0 HF12.0 HF1

SINEMA Remote Connect Server: All<V2.02.0

Remediation & Mitigation

0/8

Do now

0/2

WORKAROUNDDisable the SMTP Client function on affected devices if remote mail notification is not required

WORKAROUNDUse VPN to protect SMTP traffic to trusted email servers only

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SINEMA Remote Connect Client to version 2.0 HF1 or later

HOTFIXUpdate SINEMA Remote Connect Server to version 2.0 or later

HOTFIXUpdate SCALANCE SC600 to version 2.0 or later

HOTFIXUpdate SIMATIC NET CM 1542-1 to version 3.0 or later

Long-term hardening

0/2

HARDENINGIsolate control system networks and remote access devices behind firewalls, separate from business networks

HARDENINGMinimize Internet-facing exposure of all control system devices and remote access management systems

CVEs (5)

CVE-2018-14618 CVE-2018-16890 CVE-2019-3822 CVE-2019-3823 CVE-2019-6570

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f78a3f0c-2954-4bce-8cac-403633aafbd6