Siemens LOGO! CMR and SIMATIC RTU 3000 (Update A)

Monitor5.4ICS-CERT ICSA-21-257-13Sep 14, 2021

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A TCP/IP stack vulnerability in LOGO! CMR and SIMATIC RTU 3000 devices allows an attacker with access to the local area network (LAN) interface to hijack ongoing TCP/IP connections or spoof new connections. The WAN interface is not affected. The vulnerability does not require authentication. Siemens has released firmware updates (LOGO! CMR v2.2, SIMATIC RTU 3000 v4.0.9) to address this issue.

What this means

What could happen

An attacker on the local network could intercept or forge TCP/IP communications with LOGO! CMR or SIMATIC RTU 3000 devices, potentially allowing connection hijacking or spoofing that could alter device behavior or disrupt monitoring and control functions.

Who's at risk

Water utilities, power plants, and other facilities using Siemens LOGO! CMR (modular RTU controllers) or SIMATIC RTU 3000 series devices for remote terminal unit functions, telemetry, and control signaling should prioritize this fix. The vulnerability affects devices managing I/O communication and network-based monitoring on local area networks.

How it could be exploited

An attacker with access to the local area network (LAN) can intercept TCP/IP traffic to the affected device or inject forged packets to hijack an existing connection or establish a spoofed connection, enabling unauthorized command execution or data manipulation.

Prerequisites

Network access to the LAN interface of the affected device (WAN interface is not vulnerable)
No authentication required
Attacker must be on the same network segment or have direct network path to the device

No authentication requiredLow complexity attackAffects local network access only (not remotely exploitable)No known public exploitsTCP/IP stack vulnerability in devices handling critical control signaling

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (6)

6 with fix

ProductAffected VersionsFix Status

LOGO! CMR2020<V2.22.2

LOGO! CMR2040<V2.22.2

SIMATIC RTU3010C<V4.0.94.0.9

SIMATIC RTU3030C<V4.0.94.0.9

SIMATIC RTU3031C<V4.0.94.0.9

SIMATIC RTU3041C<V4.0.94.0.9

Remediation & Mitigation

0/8

Do now

0/1

WORKAROUNDImplement firewall rules to restrict network access to these devices from known management stations only

Schedule — requires maintenance window

0/6

Patching may require device reboot — plan for process interruption

LOGO! CMR2020

HOTFIXUpdate LOGO! CMR2020 to firmware version 2.2 or later

LOGO! CMR2040

HOTFIXUpdate LOGO! CMR2040 to firmware version 2.2 or later

SIMATIC RTU3010C

HOTFIXUpdate SIMATIC RTU3010C to firmware version 4.0.9 or later

SIMATIC RTU3030C

HOTFIXUpdate SIMATIC RTU3030C to firmware version 4.0.9 or later

SIMATIC RTU3031C

HOTFIXUpdate SIMATIC RTU3031C to firmware version 4.0.9 or later

SIMATIC RTU3041C

HOTFIXUpdate SIMATIC RTU3041C to firmware version 4.0.9 or later

Long-term hardening

0/1

HARDENINGSegment the network so that these devices are isolated from untrusted network segments and the business network

CVEs (1)

CVE-2021-37186

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/31d0d068-df02-46ad-a16d-49a342f823a4