Siemens LOGO! CMR and SIMATIC RTU 3000

Plan Patch7.5ICS-CERT ICSA-21-257-20Sep 14, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Successful exploitation of these vulnerabilities in Siemens LOGO! CMR and SIMATIC RTU 3000 devices could allow an attacker with network access to impact availability or communicate with invalid certificates. Two weaknesses are present: improper size calculations in memory handling (CWE-131) and failure to validate server certificates (CWE-295). An attacker could exploit the certificate validation flaw to perform man-in-the-middle attacks on device communications with external servers, potentially intercepting or redirecting sensitive process control data.

What this means

What could happen

An attacker with network access to these devices could disrupt availability or intercept communications with invalid certificates, potentially allowing them to impersonate external services like SCADA systems or remote monitoring platforms that the RTU/CMR relies on.

Who's at risk

This affects water and electric utility operators who use Siemens LOGO! CMR communication/monitoring devices (CMR2020 and CMR2040) or SIMATIC RTU 3000 series remote terminal units. These are commonly used for SCADA telemetry, remote site monitoring, and process data collection. Any facility with these devices exposed on an internal network segment or with remote connectivity to external services is at risk.

How it could be exploited

An attacker on the same network segment as a LOGO! CMR or SIMATIC RTU 3000 device could perform a man-in-the-middle attack by presenting invalid certificates to the device. Because the device does not properly validate certificates (CWE-295), it would accept the attacker's certificate and allow the attacker to intercept or redirect communications to external servers, potentially capturing credentials or injecting false data into process control operations.

Prerequisites

Network access to the same segment as the affected device (not internet-exposed)
Device configured to communicate with external servers over encrypted channels
No certificate pinning or validation enabled on the device

Remotely exploitable from internal networkNo authentication required for exploitationLow complexity attack (man-in-the-middle)Affects critical OT communication devicesNo patch available for SIMATIC RTU 3000 (workaround only)

Exploitability

Low exploit probability (EPSS 1.0%)

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

LOGO! CMR2040: all< 2.22.2

SIMATIC RTU 3000 family: all versionsAll versions2.2

LOGO! CMR2020: all< 2.22.2

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGFor SIMATIC RTU 3000: Enable the certificate pinning/protection feature and pin the valid certificates of all external servers (SCADA, historian, remote monitoring platforms) the device communicates with

WORKAROUNDIf remote access to these devices is required, use a VPN with current security patches to restrict administrative connections

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate LOGO! CMR2020 to firmware version 2.2 or later

HOTFIXUpdate LOGO! CMR2040 to firmware version 2.2 or later

Long-term hardening

0/1

HARDENINGSegment control system networks from business networks using firewalls; ensure LOGO! CMR and RTU 3000 devices are not reachable from the Internet

CVEs (2)

CVE-2020-36475 CVE-2020-36478

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a6a52135-5a2f-4b28-91d4-5b6941a9f667