Siemens Industrial Products with OPC UA
Monitor6.5ICS-CERT ICSA-22-132-08May 10, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
A vulnerability in the OPC UA ANSIC Stack (Legacy C-Stack) third-party component affects multiple Siemens industrial products. The flaw could cause a crash of any component using the vulnerable stack. Affected products include SIMATIC HMI panels, SIMATIC NET PC Software, SITOP Manager, and TeleControl Server Basic.
What this means
What could happen
An attacker could crash the OPC UA communication stack on affected devices, causing loss of connectivity between your HMI panels, engineering workstations, or remote servers and your control systems. This could disrupt operator visibility and remote operations until the process restarts.
Who's at risk
Manufacturing sites using Siemens HMI panels (Comfort Outdoor, Comfort, or KTP Mobile series) as operator interfaces should prioritize patching. Engineering and automation teams using SIMATIC NET PC Software for industrial network configuration and management are also affected. Remote operations personnel using TeleControl Server Basic or SITOP Manager for distributed process control need immediate attention. Any facility using OPC UA for communication between workstations, HMI devices, and controllers is at risk.
How it could be exploited
An attacker would send a malformed OPC UA message to an affected device that is configured to accept OPC client connections. The malformed packet triggers a null pointer dereference in the OPC UA stack, causing the application or device to crash. The attacker needs network reachability to the device's OPC UA port (typically 4840 or a configured alternative).
Prerequisites
- Network access to OPC UA listening port on the affected device
- Device must be configured with OPC UA client feature enabled
- Device must accept OPC connections from the attacker's network segment
remotely exploitableno authentication requiredlow complexityaffects HMI and engineering workstation connectivity
Exploitability
Low exploit probability (EPSS 0.5%)
Affected products (9)
8 with fix1 EOL
ProductAffected VersionsFix Status
SIMATIC NET PC Software V14<V14 SP1 Update 1414 SP1 Update 14
SIMATIC HMI Comfort Outdoor Panels (incl. SIPLUS variants)<V17 Update 5V17_Update_5 or later
SIMATIC NET PC Software V16<V16 Update 616 Update 6
SIMATIC NET PC Software V17<V17 SP 117 SP1
SITOP Manager<V1.2.41.2.4
SIMATIC HMI Comfort Panels (incl. SIPLUS variants)<V17 Update 5V17_Update_5 or later
TeleControl Server Basic V3<V3.1.13.1.1
SIMATIC HMI KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900 and KTP900F<V17 Update 5V17_Update_5 or later
Remediation & Mitigation
0/12
Do now
0/2WORKAROUNDRestrict OPC UA client connections to trusted networks only; do not expose OPC ports to untrusted networks
WORKAROUNDDisable OPC UA client feature on devices where it is not required for operations
Schedule — requires maintenance window
0/8Patching may require device reboot — plan for process interruption
SIMATIC NET PC Software V14
HOTFIXUpdate SIMATIC NET PC Software V14 to SP1 Update 14 or later
SIMATIC NET PC Software V16
HOTFIXUpdate SIMATIC NET PC Software V16 to Update 6 or later
SIMATIC NET PC Software V17
HOTFIXUpdate SIMATIC NET PC Software V17 to SP1 or later
SITOP Manager
HOTFIXUpdate SITOP Manager to version 1.2.4 or later
TeleControl Server Basic V3
HOTFIXUpdate TeleControl Server Basic V3 to version 3.1.1 or later
All products
HOTFIXUpdate SIMATIC HMI Comfort Outdoor Panels to V17_Update_5 or later
HOTFIXUpdate SIMATIC HMI Comfort Panels to V17_Update_5 or later
HOTFIXUpdate SIMATIC HMI KTP Mobile Panels (all models) to V17_Update_5 or later
Mitigations - no patch available
0/2SIMATIC NET PC Software V15 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGUse VPN to protect OPC UA communication between cells and remote connections
HARDENINGImplement network segmentation to isolate OPC UA traffic from untrusted segments
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/a5ba61b1-beb7-49d3-a7a5-246ed8f96c7d