Siemens Industrial Products LLDP (Update D)

Act Now9.8ICS-CERT ICSA-21-194-07Jul 13, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities exist in a third-party Link Layer Discovery Protocol (LLDP) library integrated into Siemens industrial networking products. These vulnerabilities (CWE-120 buffer overflow, CWE-400 uncontrolled resource consumption) can be exploited by sending crafted LLDP packets to affected devices on the network, potentially allowing remote code execution, device configuration changes, or denial of service. The vulnerabilities affect 16 product lines across Siemens industrial communication modules, HMI panels, and machine controllers.

What this means

What could happen

An attacker with network access could exploit LLDP vulnerabilities in Siemens industrial communication modules to execute arbitrary code, potentially disrupting plant network visibility, altering device configuration, or halting automated processes depending on the affected device's role in the control system.

Who's at risk

Manufacturing and transportation facilities using Siemens industrial communication products should be concerned. Affected devices include SIMATIC CP communication modules (1243, 1542, 1543, 1545 series), SIPLUS industrial variants, TIM 1531 industrial modems, HMI Unified Comfort Panels, and SINUMERIK ONE machine controllers. These devices provide Ethernet connectivity to PLCs, distributed I/O systems, and HMI interfaces in production and process control environments.

How it could be exploited

An attacker on the same network segment as an affected Siemens industrial communication device sends a crafted LLDP packet to the device's Ethernet port. The vulnerable LLDP library fails to properly validate the packet, allowing buffer overflow or denial-of-service conditions that lead to code execution or device reboot. No authentication is required.

Prerequisites

Network access to Ethernet port of affected device
Device running vulnerable LLDP library version
LLDP protocol enabled on Ethernet port (default state)

remotely exploitableno authentication requiredlow complexitycritical CVSS (9.8)affects network communication in industrial automationLLDP enabled by default on Ethernet interfaces

Exploitability

Moderate exploit probability (EPSS 4.2%)

Affected products (17)

17 with fix

ProductAffected VersionsFix Status

SIMATIC CP 1243-1<V3.3.463.3.46

SIMATIC CP 1243-8 IRC<V3.3.463.3.46

SIMATIC CP 1542SP-1<V2.2.282.2.28

SIMATIC CP 1542SP-1 IRC<V2.2.282.2.28

SIMATIC CP 1543-1<V3.03.0

Remediation & Mitigation

0/14

Do now

0/1

WORKAROUNDDisable LLDP protocol on affected device Ethernet ports via configuration. Note: This may impact network discovery and visibility tools.

Schedule — requires maintenance window

0/11

Patching may require device reboot — plan for process interruption

Long-term hardening

0/2

HARDENINGIsolate affected Siemens industrial communication devices on a separate network segment behind firewall rules that restrict network access to known trusted sources only

HARDENINGEnsure industrial network is segregated from business network and not directly accessible from the Internet

CVEs (2)

CVE-2015-8011 CVE-2020-27827

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close