Siemens SIMATIC NET CP343-1

Monitor7.5ICS-CERT ICSA-21-131-07May 11, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in SIMATIC CP343-1 communication modules (Standard, Lean, Advanced, and SIPLUS variants, all versions) allows an attacker to cause denial-of-service on TCP port 102 by sending specially crafted packets. The vulnerability exists in the TCP stack handling and can be triggered without authentication. Siemens has not released a patch for any variant of this product.

What this means

What could happen

An attacker can crash the CP343-1 device's TCP port 102 interface by sending malformed packets, causing temporary loss of communication with the PLC and interrupting industrial processes that depend on S7 protocol communication.

Who's at risk

Water authorities and utilities operating Siemens SIMATIC NET CP343-1 communication modules (Standard, Lean, or Advanced variants) in PLCs and industrial controllers should be aware of this vulnerability. The CP343-1 is commonly used for S7 Ethernet communication in process control systems. SIPLUS variants used in harsh environments are equally affected.

How it could be exploited

An attacker on the network sends specially crafted TCP packets to port 102 of the CP343-1 device. The device fails to properly validate or handle these packets, causing a denial-of-service condition that makes the interface unresponsive. No authentication is required.

Prerequisites

Network access to TCP port 102 on the CP343-1 device
Device must be reachable from the attacker's network segment

Remotely exploitableNo authentication requiredLow complexity attackNo patch availableAffects all versionsNetwork-accessible interface

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (3)

3 EOL

ProductAffected VersionsFix Status

SIMATIC NET CP 343-1 Advanced (incl. SIPLUS variants)All versionsNo fix (EOL)

SIMATIC NET CP 343-1 Lean (incl. SIPLUS variants)All versionsNo fix (EOL)

SIMATIC NET CP 343-1 Standard (incl. SIPLUS variants)All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to TCP port 102 on CP343-1 devices using firewall rules or network segmentation. Only allow authorized engineering workstations and HMI systems to communicate with the device.

Mitigations - no patch available

0/3

The following products have reached End of Life with no planned fix: SIMATIC NET CP 343-1 Advanced (incl. SIPLUS variants), SIMATIC NET CP 343-1 Lean (incl. SIPLUS variants), SIMATIC NET CP 343-1 Standard (incl. SIPLUS variants). Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate CP343-1 devices on a dedicated PLC VLAN with strict ingress/egress rules.

HARDENINGMonitor for unusual traffic patterns on port 102 and configure alerts for connection attempts from unexpected sources.

HARDENINGFollow Siemens operational guidelines for Industrial Security and implement environment hardening per product manuals.

CVEs (1)

CVE-2020-25242

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/be7ec6d1-a223-456b-9917-4817a92e72d4