OTPulse

Siemens Industrial Products LLDP (Update D)

Plan PatchCVSS 9.8ICS-CERT ICSA-21-194-07Jul 13, 2021
SiemensManufacturingTransportation
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Multiple vulnerabilities exist in a third-party Link Layer Discovery Protocol (LLDP) library integrated into Siemens industrial networking products. These vulnerabilities (CWE-120 buffer overflow, CWE-400 uncontrolled resource consumption) can be exploited by sending crafted LLDP packets to affected devices on the network, potentially allowing remote code execution, device configuration changes, or denial of service. The vulnerabilities affect 16 product lines across Siemens industrial communication modules, HMI panels, and machine controllers.

What this means
What could happen
An attacker with network access could exploit LLDP vulnerabilities in Siemens industrial communication modules to execute arbitrary code, potentially disrupting plant network visibility, altering device configuration, or halting automated processes depending on the affected device's role in the control system.
Who's at risk
Manufacturing and transportation facilities using Siemens industrial communication products should be concerned. Affected devices include SIMATIC CP communication modules (1243, 1542, 1543, 1545 series), SIPLUS industrial variants, TIM 1531 industrial modems, HMI Unified Comfort Panels, and SINUMERIK ONE machine controllers. These devices provide Ethernet connectivity to PLCs, distributed I/O systems, and HMI interfaces in production and process control environments.
How it could be exploited
An attacker on the same network segment as an affected Siemens industrial communication device sends a crafted LLDP packet to the device's Ethernet port. The vulnerable LLDP library fails to properly validate the packet, allowing buffer overflow or denial-of-service conditions that lead to code execution or device reboot. No authentication is required.
Prerequisites
  • Network access to Ethernet port of affected device
  • Device running vulnerable LLDP library version
  • LLDP protocol enabled on Ethernet port (default state)
remotely exploitableno authentication requiredlow complexitycritical CVSS (9.8)affects network communication in industrial automationLLDP enabled by default on Ethernet interfaces
Exploitability
Some exploitation risk — EPSS score 4.2%
Affected products (17)
17 with fix
ProductAffected VersionsFix Status
SIMATIC CP 1243-1<V3.3.463.3.46
SIMATIC CP 1243-8 IRC<V3.3.463.3.46
SIMATIC CP 1542SP-1<V2.2.282.2.28
SIMATIC CP 1542SP-1 IRC<V2.2.282.2.28
SIMATIC CP 1543-1<V3.03.0
Remediation & Mitigation
0/14
Do now
0/1
WORKAROUNDDisable LLDP protocol on affected device Ethernet ports via configuration. Note: This may impact network discovery and visibility tools.
Schedule — requires maintenance window
0/11

Patching may require device reboot — plan for process interruption

SIMATIC CP 1243-1
HOTFIXUpdate SIMATIC CP 1243-1 (incl. SIPLUS variants) to firmware v3.3.46 or later
SIMATIC CP 1542SP-1
HOTFIXUpdate SIMATIC CP 1542SP-1 (incl. SIPLUS variants) to firmware v2.2.28 or later
SIMATIC CP 1543-1
HOTFIXUpdate SIMATIC CP 1543-1 (incl. SIPLUS NET variant) to firmware v3.0 or later
SIMATIC CP 1543SP-1
HOTFIXUpdate SIMATIC CP 1543SP-1 (incl. SIPLUS variant) to firmware v2.2.28 or later
SIMATIC CP 1545-1
HOTFIXUpdate SIMATIC CP 1545-1 to firmware v1.1 or later
SIMATIC HMI Unified Comfort Panels
HOTFIXUpdate SIMATIC HMI Unified Comfort Panels to firmware v17 or later
SINUMERIK ONE MCP
HOTFIXUpdate SINUMERIK ONE MCP to firmware v2.0.1 or later (contact Siemens representative for update availability)
TIM 1531 IRC
HOTFIXUpdate TIM 1531 IRC (incl. SIPLUS NET variants) to firmware v2.2 or later
SIPLUS ET 200SP CP 1542SP-1 IRC TX RAIL
HOTFIXUpdate SIPLUS ET 200SP CP 1542SP-1 IRC TX RAIL to firmware v2.2.28 or later
SIPLUS ET 200SP CP 1543SP-1 ISEC
HOTFIXUpdate SIPLUS ET 200SP CP 1543SP-1 ISEC (TX RAIL variant) to firmware v2.2.28 or later
All products
HOTFIXUpdate SIMATIC NET CP 1243-8 IRC to firmware v3.3.46 or later
Long-term hardening
0/2
HARDENINGIsolate affected Siemens industrial communication devices on a separate network segment behind firewall rules that restrict network access to known trusted sources only
HARDENINGEnsure industrial network is segregated from business network and not directly accessible from the Internet
View full CISA ICS-CERT advisory
API: /api/v1/advisories/9b19e2c2-a532-421d-9028-a5bd0432f4fc

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.