Siemens RWG Universal Controllers

Monitor6.5ICS-CERT ICSA-21-194-14Jul 13, 2021

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A denial-of-service vulnerability in the ARP protocol implementation of Siemens RWG Universal Controller devices (RWG1.M8, RWG1.M12, RWG1.M12D) allows an attacker on the same Layer 2 network to send crafted ARP packets that cause the device to become unresponsive. Siemens has released firmware updates to version 1.16.16 or later. This vulnerability is not remotely exploitable over the Internet and no public exploit code exists.

What this means

What could happen

An attacker on the same local network can send malformed ARP packets that crash the RWG Universal Controller, causing a loss of control functionality for whatever process the device manages (water treatment, electrical distribution, etc.).

Who's at risk

Water authorities and utilities using Siemens RWG Universal Controllers (models RWG1.M8, RWG1.M12, RWG1.M12D) for process control should assess whether these devices are in their environment. Any facility relying on these controllers for regulatory control, pump operation, or distribution system management is affected.

How it could be exploited

An attacker with access to the same Layer 2 network segment (Ethernet switch) as the RWG controller sends crafted ARP packets designed to trigger a buffer overflow or exception in the device's ARP implementation. The device becomes unresponsive and requires manual restart to restore control operations.

Prerequisites

Access to the same Layer 2 network segment (local Ethernet switch) as the affected RWG device
No credentials or authentication required

No authentication requiredLow attack complexityAffects process availability (denial of service)Attacker must be on local network (limits remote threat)

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

RWG1.M8<V1.16.16V1.16.16

RWG1.M12<V1.16.16V1.16.16

RWG1.M12D<V1.16.16V1.16.16

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict Layer 2 network access to the RWG device—only allow trusted systems and personnel on the same Ethernet switch

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate RWG firmware to version 1.16.16 or later using the RWG Controller Graphical programming platform by generating and downloading a new project file to the device

Long-term hardening

0/2

HARDENINGImplement network segmentation to isolate RWG controllers and other control devices from the business network using firewalls and VLANs

HARDENINGEnsure control system networks are not directly accessible from the Internet

CVEs (1)

CVE-2021-25671

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2583deb2-5d66-46d4-894e-f09a3e09350f