Siemens OpenSSL Vulnerabilities in Industrial Products
Monitor5.9ICS-CERT ICSA-22-104-05Jul 13, 2021
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
OpenSSL vulnerability in versions 1.1.1 < 1.1.1k allows unauthenticated attackers to cause denial-of-service by sending a maliciously crafted TLS renegotiation message. Affects Siemens industrial networking, control, and communication products using the vulnerable OpenSSL library. Siemens has released updates for many products; countermeasures recommended for products without fixes available.
What this means
What could happen
An attacker can crash network devices or communication modules by sending a crafted TLS renegotiation message, disrupting connectivity to control systems, HMIs, and field devices and potentially interrupting plant operations.
Who's at risk
Manufacturing and transportation operators using Siemens SCALANCE networking equipment (managed switches, routers, wireless access points), RUGGEDCOM industrial communications gear, SIMATIC control processors (CP series), S7-1200/1500 PLCs, HMI panels, process historians, RF identification systems, and remote I/O modules should assess exposure. Any plant using these devices for secure remote access, inter-system communication, or cloud connectivity is at risk.
How it could be exploited
An attacker sends a maliciously crafted OpenSSL renegotiation message to a Siemens device using TLS/SSL (typically port 443 or another encrypted control channel). The vulnerable OpenSSL library crashes the service, causing denial-of-service. No authentication is required; the attacker only needs network reachability to the affected device.
Prerequisites
- Network access to the affected device on its TLS/SSL port (commonly 443 or encrypted communication ports)
- Device must be running a vulnerable version of OpenSSL (1.1.1 < 1.1.1k)
- Device must accept incoming TLS connections
Remotely exploitable without authenticationLow attack complexityNo patch available for some products (SCALANCE S602, S612, S623, S627-2M, W700, SIMATIC Process Historian OPC UA Server, SINAMICS Connect 300)Affects multiple device types across critical infrastructure sectors
Exploitability
Moderate exploit probability (EPSS 8.4%)
Affected products (94)
87 with fix7 pending
ProductAffected VersionsFix Status
RUGGEDCOM CROSSBOW Station Access Controller (SAC)≥ V5.2.0|<V5.3 only when running on ROX II V2.14.05.3
RUGGEDCOM RM1224 LTE(4G) EU≥ V6.2<V7.17.1
RUGGEDCOM RM1224 LTE(4G) NAM≥ V6.2<V7.17.1
SCALANCE LPE9403<V1.11.1
SCALANCE M804PB≥ V6.2<V7.17.1
Remediation & Mitigation
0/23
Do now
0/2SCALANCE M876-4 (NAM)
WORKAROUNDFor products without available patches (SCALANCE S602, S612, S623, S627-2M, W700, SIMATIC Process Historian OPC UA Server, SINAMICS Connect 300), implement compensating controls by placing devices behind firewalls, disabling TLS renegotiation where possible, or segmenting networks to limit exposure
All products
HARDENINGRestrict network access to affected devices using firewall rules and access control lists; ensure devices are not directly reachable from the Internet or untrusted networks
Schedule — requires maintenance window
0/19Patching may require device reboot — plan for process interruption
RUGGEDCOM CROSSBOW Station Access Controller (SAC)
HOTFIXUpdate RUGGEDCOM CROSSBOW SAC to firmware 5.3 or later
SIMATIC WinCC Runtime Advanced
HOTFIXUpdate SIMATIC WinCC Runtime Advanced to version 17 Update 1 or later
SIMATIC WinCC TeleControl
HOTFIXUpdate SIMATIC WinCC TeleControl to version 7.5 or later
SIMATIC PCS 7 TeleControl
HOTFIXUpdate SIMATIC PCS 7 TeleControl to version 9.1 or later
SIMATIC PCS neo
HOTFIXUpdate SIMATIC PCS neo to version 3.1 or later
SIMATIC PDM
HOTFIXUpdate SIMATIC PDM to version 9.2 SP 1 or later
SINEMA Server
HOTFIXUpdate SINEMA Server to version 14 SP3 or later
SINUMERIK OPC UA Server
HOTFIXUpdate SINUMERIK OPC UA Server to version 3.1 SP1 or later
TIA Administrator
HOTFIXUpdate TIA Administrator to version 1.0 SP4 or later
All products
HOTFIXUpdate RUGGEDCOM RM1224 LTE to version 7.1 or later
HOTFIXUpdate all affected SCALANCE switches, routers, and wireless products to their patched versions (e.g., SCALANCE M-series to 7.1, SCALANCE XM/XR to 6.4, SCALANCE W-series to 3.0)
HOTFIXUpdate SIMATIC CP communication modules (CP 1242-7 V2, CP 1243, CP 1543, CP 1545) to their patched versions (e.g., CP 1243-7 LTE to 3.3.46, CP 1543 to 3.0)
HOTFIXUpdate SIMATIC S7-1200 CPU family to firmware 4.5.2 or later
HOTFIXUpdate SIMATIC S7-1500 CPU 1518-4 PN/DP MFP to version 2.9.3 or later
HOTFIXUpdate SIMATIC HMI Comfort Panels (including SIPLUS variants), Comfort Outdoor Panels, and KTP Mobile Panels to version 17.0 Update 2 or later
HOTFIXUpdate SIMATIC MV540, MV550, MV560 drive control units to firmware 3.1 or later
HOTFIXUpdate SIMATIC RF series RFID readers (RF166C, RF185C, RF186C, RF188C, RF360R, RF610R, RF615R, RF650R, RF680R, RF685R) to firmware 2.0 or 4.0 as applicable
HOTFIXUpdate SIMATIC Logon to version 1.6 Update 5 or later
HOTFIXUpdate SIMATIC Cloud Connect 7 CC712/CC716 to version 1.6 or later
Long-term hardening
0/2HARDENINGIsolate control system networks from business networks using firewalls and network segmentation
HARDENINGIf remote access is required, use secure VPN connections with current updates and multi-factor authentication
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/f5c93f71-fb9d-4257-ad9f-627fe8d7c251