Siemens Linux-based Products (Update J)

Plan Patch7.4ICS-CERT ICSA-21-131-03May 11, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

A vulnerability in the Linux kernel when handling ICMP packets (SAD DNS) affects the Domain Name System resolver on multiple Siemens industrial products. By sending specially crafted ICMP packets, an attacker can trigger incorrect DNS resolution on the affected device, potentially redirecting network traffic and disrupting control system communication. The vulnerability requires network access and has high attack complexity, but does not require authentication. No known public exploits are currently available.

What this means

What could happen

An attacker with network access to a DNS resolver on one of these devices could manipulate DNS responses, causing control systems to connect to incorrect network destinations. This could disrupt communication between engineering workstations, SCADA systems, and field devices, or redirect traffic to malicious servers.

Who's at risk

This affects multiple Siemens industrial networking products used in transportation and utility environments: communication modules (SIMATIC CP series), mobile routers (SCALANCE M-800, SCALANCE W1750D), rugged switches (RUGGEDCOM RM1224), industrial edge devices (SIMATIC MV series), cloud connectivity gateways (SIMATIC Cloud Connect 7), and remote access servers (SINEMA Remote Connect Server). Organizations using these devices for plant-wide network communication, remote engineering access, or inter-site connectivity should prioritize patching.

How it could be exploited

An attacker sends specially crafted ICMP packets to trigger a flaw in the Linux kernel's DNS resolver handling on the affected device. By exploiting this weakness, the attacker can inject false DNS responses that redirect subsequent queries to attacker-controlled addresses. The attack requires network reachability to the device but does not require authentication or user interaction.

Prerequisites

Network-layer access to the affected device (ICMP packets must be able to reach it)
Device must be making outbound DNS queries
Device must be running a vulnerable version of the Linux kernel in the version ranges listed

remotely exploitableno authentication requiredDNS resolver flaw—affects any system querying DNShigh CVSS score (7.4)multiple affected products across critical network infrastructure

Exploitability

Moderate exploit probability (EPSS 1.1%)

Affected products (32)

32 with fix

ProductAffected VersionsFix Status

RUGGEDCOM RM1224 family (6GK6108-4AM00)≥ V5.0 and <V6.46.4

SCALANCE M-800 family≥ V5.0 and <V6.46.4

SCALANCE S615≥ V5.0 and <V6.46.4

SCALANCE SC-600 family<V2.1.32.1.3

SCALANCE W1750D8.3.0.1|8.6.0|8.7.08.7.1.3

Remediation & Mitigation

0/28

Do now

0/2

WORKAROUNDRestrict outgoing ICMP packets using service ACLs or firewall blocking rules

HARDENINGRestrict access to CLI and web-based management interfaces to a dedicated VLAN or controlled firewall policies

Schedule — requires maintenance window

0/24

Patching may require device reboot — plan for process interruption

Long-term hardening

0/2

HARDENINGConfigure DNS resolvers to use internal name servers rather than external resolvers where possible

HARDENINGIsolate control system networks behind firewalls and separate them from business networks

CVEs (1)

CVE-2020-25705

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close