OTPulse

Siemens LOGO! CMR and SIMATIC RTU 3000

Plan PatchCVSS 7.5ICS-CERT ICSA-21-257-20Sep 14, 2021
Siemens
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Successful exploitation of these vulnerabilities in Siemens LOGO! CMR and SIMATIC RTU 3000 devices could allow an attacker with network access to impact availability or communicate with invalid certificates. Two weaknesses are present: improper size calculations in memory handling (CWE-131) and failure to validate server certificates (CWE-295). An attacker could exploit the certificate validation flaw to perform man-in-the-middle attacks on device communications with external servers, potentially intercepting or redirecting sensitive process control data.

What this means
What could happen
An attacker with network access to these devices could disrupt availability or intercept communications with invalid certificates, potentially allowing them to impersonate external services like SCADA systems or remote monitoring platforms that the RTU/CMR relies on.
Who's at risk
This affects water and electric utility operators who use Siemens LOGO! CMR communication/monitoring devices (CMR2020 and CMR2040) or SIMATIC RTU 3000 series remote terminal units. These are commonly used for SCADA telemetry, remote site monitoring, and process data collection. Any facility with these devices exposed on an internal network segment or with remote connectivity to external services is at risk.
How it could be exploited
An attacker on the same network segment as a LOGO! CMR or SIMATIC RTU 3000 device could perform a man-in-the-middle attack by presenting invalid certificates to the device. Because the device does not properly validate certificates (CWE-295), it would accept the attacker's certificate and allow the attacker to intercept or redirect communications to external servers, potentially capturing credentials or injecting false data into process control operations.
Prerequisites
  • Network access to the same segment as the affected device (not internet-exposed)
  • Device configured to communicate with external servers over encrypted channels
  • No certificate pinning or validation enabled on the device
Remotely exploitable from internal networkNo authentication required for exploitationLow complexity attack (man-in-the-middle)Affects critical OT communication devicesNo patch available for SIMATIC RTU 3000 (workaround only)
Exploitability
Unlikely to be exploited — EPSS score 1.0%
Affected products (9)
9 with fix
ProductAffected VersionsFix Status
LOGO! CMR2020< V2.22.2
LOGO! CMR2040< V2.22.2
SIMATIC RTU3010C< V5.0.145.0.14
SIMATIC RTU3030C< V5.0.145.0.14
SIMATIC RTU3031C< V5.0.145.0.14
SIMATIC RTU3041C< V5.0.145.0.14
LOGO! CMR2040: all< 2.22.2
SIMATIC RTU 3000 family: all versionsAll versions2.2
Remediation & Mitigation
0/5
Do now
0/2
HARDENINGFor SIMATIC RTU 3000: Enable the certificate pinning/protection feature and pin the valid certificates of all external servers (SCADA, historian, remote monitoring platforms) the device communicates with
WORKAROUNDIf remote access to these devices is required, use a VPN with current security patches to restrict administrative connections
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

LOGO! CMR2020
HOTFIXUpdate LOGO! CMR2020 to firmware version 2.2 or later
LOGO! CMR2040
HOTFIXUpdate LOGO! CMR2040 to firmware version 2.2 or later
Long-term hardening
0/1
HARDENINGSegment control system networks from business networks using firewalls; ensure LOGO! CMR and RTU 3000 devices are not reachable from the Internet
View full CISA ICS-CERT advisory
API: /api/v1/advisories/a6a52135-5a2f-4b28-91d4-5b6941a9f667

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Siemens LOGO! CMR and SIMATIC RTU 3000 | CVSS 7.5 - OTPulse