Siemens SCALANCE and SIMATIC libcurl (Update B)
Act NowCVSS 8.3ICS-CERT ICSA-21-068-10Apr 9, 2019
Siemens
Attack path
Attack VectorNetwork
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
Siemens SINEMA Remote Connect Client and Server, as well as SCALANCE SC600 and SIMATIC NET CM 1542-1 devices, contain multiple libcurl vulnerabilities (CWE-131, CWE-125, CWE-121, CWE-280) including buffer overflows and out-of-bounds memory access. An attacker with valid credentials and network access could exploit these flaws to execute arbitrary code on the affected device. The vulnerabilities are particularly relevant to the SMTP Client functionality on SCALANCE and SIMATIC devices, which can be disabled to reduce risk.
What this means
What could happen
An attacker with network access and valid credentials could exploit libcurl vulnerabilities in SINEMA Remote Connect or SCALANCE/SIMATIC devices to execute arbitrary code, potentially allowing them to modify network configuration, intercept SMTP traffic, or disrupt remote management capabilities.
Who's at risk
Water utilities and electric facilities using Siemens SINEMA Remote Connect for remote management of SCALANCE network switches or SIMATIC NET devices. System administrators and engineering staff who use the Remote Connect Client to access field devices over the network are at risk.
How it could be exploited
An attacker on the network with valid user credentials could send a specially crafted request to the affected SINEMA or SCALANCE device that exploits memory corruption flaws in the embedded libcurl library, causing the application to execute arbitrary commands. The vulnerability requires the SMTP Client function to be enabled on the target device.
Prerequisites
- Valid user credentials for SINEMA Remote Connect Client or Server
- Network access to the affected device on its management port
- SMTP Client function enabled on the target device (for SCALANCE/SIMATIC products)
- Authentication required; not exploitable anonymously
Remotely exploitableValid credentials required (elevated complexity)Memory corruption vulnerabilities (buffer overflow, out-of-bounds read)High CVSS score (8.3)Elevated exploit probability (16.6% EPSS)Affects remote management infrastructure
Exploitability
Likely to be exploited — EPSS score 17.9%
Public Proof-of-Concept (PoC) on GitHub (1 repository)
Affected products (5)
4 with fix1 EOL
ProductAffected VersionsFix Status
SCALANCE SC600 Family< V2.02.0
SIMATIC CM 1542-1< V3.03.0
SIMATIC CP 343-1 Advanced (incl. SIPLUS variants)V3.0.33, V3.0.44 and V3.0.53No fix (EOL)
SINEMA Remote Connect Client: All<V2.0 HF12.0 HF1
SINEMA Remote Connect Server: All<V2.02.0
Remediation & Mitigation
0/8
Do now
0/2WORKAROUNDDisable the SMTP Client function on affected devices if remote mail notification is not required
WORKAROUNDUse VPN to protect SMTP traffic to trusted email servers only
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
HOTFIXUpdate SINEMA Remote Connect Client to version 2.0 HF1 or later
HOTFIXUpdate SINEMA Remote Connect Server to version 2.0 or later
HOTFIXUpdate SCALANCE SC600 to version 2.0 or later
HOTFIXUpdate SIMATIC NET CM 1542-1 to version 3.0 or later
Mitigations - no patch available
0/2SIMATIC CP 343-1 Advanced (incl. SIPLUS variants) has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGIsolate control system networks and remote access devices behind firewalls, separate from business networks
HARDENINGMinimize Internet-facing exposure of all control system devices and remote access management systems
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/f78a3f0c-2954-4bce-8cac-403633aafbd6Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.