Siemens SIMOTICS CONNECT 400 (Update A)

Monitor6.5ICS-CERT ICSA-21-103-13Apr 13, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

SIMOTICS CONNECT 400 is affected by DNS Client vulnerabilities in the DNS Module of Nucleus RTOS. These vulnerabilities involve improper input validation (CWE-170, CWE-125, CWE-788) and weak random number generation (CWE-330) in the DNS resolver implementation. Affected versions prior to 0.5.0.0 and versions 0.5.0.0 through 1.0.0.0 (depending on which CVE applies) require patching. Siemens has released firmware updates to address these issues.

What this means

What could happen

An attacker on the network could craft malformed DNS responses or exploit predictable DNS transaction IDs to poison the device's DNS cache or redirect it to attacker-controlled servers, potentially causing the motor control device to lose connectivity or be redirected to malicious configuration sources, disrupting production operations.

Who's at risk

This affects organizations operating SIMOTICS CONNECT 400 smart motors in industrial control systems, particularly in motor-driven manufacturing, water/wastewater, and power distribution settings where the device's DNS resolution is critical to maintaining connectivity to remote control or monitoring systems.

How it could be exploited

An attacker with network access to the SIMOTICS CONNECT 400 device (or positioned on the network path to intercept DNS traffic) could send crafted DNS packets to exploit the input validation or random number generation flaws. This could allow DNS cache poisoning or session hijacking, redirecting the device's network communications to attacker-controlled destinations.

Prerequisites

Network access to the device's DNS resolver (typically port 53 or higher-numbered DNS queries)
Ability to intercept or spoof DNS responses on the network
Device must be configured to use DNS for name resolution

remotely exploitablenetwork access required (DNS packets)low complexity attackaffects motor control device connectivityno mitigation available except patching and network controls

Exploitability

Low exploit probability (EPSS 0.9%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

SIMOTICS CONNECT 400<V0.5.0.00.5.0.0

SIMOTICS CONNECT 400≥ V0.5.0.0 <V1.0.0.01.0.0.0

Remediation & Mitigation

0/5

Do now

0/2

SIMOTICS CONNECT 400

HARDENINGRestrict network access to SIMOTICS CONNECT 400 devices using firewalls and network segmentation; do not expose to the Internet

All products

HARDENINGIsolate the device's network from the business network and position behind a firewall

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

SIMOTICS CONNECT 400

HOTFIXUpdate SIMOTICS CONNECT 400 versions prior to v0.5.0.0 to v0.5.0.0 or later

HOTFIXUpdate SIMOTICS CONNECT 400 versions v0.5.0.0 through v1.0.0.0 to v1.0.0.0 or later

Long-term hardening

0/1

HARDENINGReview and follow Siemens operational guidelines for Industrial Security (SSA-669158) and product manual recommendations

CVEs (4)

CVE-2020-27738 CVE-2021-25677 CVE-2020-27736 CVE-2020-27737

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b0462d7b-c507-4818-ad36-273b68af761c