Siemens Industrial Devices using libcurl

Plan PatchCVSS 8.1ICS-CERT ICSA-22-132-13May 10, 2022

SiemensManufacturingTransportation

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Vulnerabilities in the cURL library used by multiple Siemens industrial communication and remote access devices could allow an attacker to interfere with affected products through use-after-free (CWE-416) and unrestricted upload of file with dangerous type (CWE-706) flaws. Affected products include SIMATIC CP series communication processors, SIPLUS modules, SCALANCE industrial routers, RUGGEDCOM remote management devices, SIMATIC RTU series remote terminal units, and SINEMA Remote Connect Client. No public exploits currently available, but vulnerabilities have been partially demonstrated (E:P).

What this means

What could happen

An attacker with network access could cause memory corruption or arbitrary code execution on affected communication processors, routers, or RTU devices, potentially disrupting remote monitoring, data transfer, or system control functions. LOGO! CMR devices cannot be patched and remain indefinitely vulnerable.

Who's at risk

Manufacturing and transportation operators using Siemens industrial communication and networking equipment should be concerned. This includes: plants using SIMATIC CP series (1242, 1243, 1545) communication processors for gateway/remote connectivity; facilities deploying SCALANCE M-series industrial routers for WAN links or mobile connectivity; water/utility SCADA systems using SIMATIC RTU3000 series remote terminal units; sites running RUGGEDCOM remote management devices; automation systems using SIPLUS hardened variants; and users of SINEMA Remote Connect Client for engineering remote access.

How it could be exploited

An attacker with network reachability to an affected device's web service or API endpoint could craft a malicious HTTP request that triggers a use-after-free condition or unsafe file upload handling in the embedded cURL library. This could result in memory corruption, information disclosure, or remote code execution on the device.

Prerequisites

Network access to the affected device's HTTP/HTTPS service port
Device must be running a vulnerable firmware version
No authentication is required

Remotely exploitableNo authentication requiredHigh attack complexity (partially mitigates risk)Affects network infrastructure devices (communication processors, routers, RTUs)LOGO! CMR family: no patch availableHigh CVSS score (8.1)

Exploitability

Unlikely to be exploited — EPSS score 0.8%

Public Proof-of-Concept (PoC) on GitHub (1 repository)

Affected products (34)

33 with fix1 pending

ProductAffected VersionsFix Status

SIMATIC CP 1242-7 V2<V3.3.463.3.46

SIMATIC CP 1243-1<V3.3.463.3.46

SIMATIC CP 1243-7 LTE EU<V3.3.463.3.46

SIMATIC CP 1243-7 LTE US<V3.3.463.3.46

SIMATIC CP 1243-8 IRC<V3.3.463.3.46

Remediation & Mitigation

0/13

Do now

0/2

WORKAROUNDRestrict network access to affected devices using firewall rules; block inbound HTTP/HTTPS traffic from untrusted networks

HARDENINGFor LOGO! CMR devices (no patch available): isolate from Internet-facing networks; implement network segmentation to limit access to engineering stations only

Schedule — requires maintenance window

0/9

Patching may require device reboot — plan for process interruption

SIMATIC CP 1242-7 V2

HOTFIXUpdate SIMATIC CP 1242-7 V2, CP 1243-1, CP 1243-7 LTE EU/US, CP 1243-8 IRC to firmware v3.3.46 or later

SIMATIC CP 1543-1

HOTFIXUpdate SIMATIC CP 1543-1 and SIPLUS NET CP 1543-1 to firmware v3.0.22 or later

SIMATIC CP 1545-1

HOTFIXUpdate SIMATIC CP 1545-1 to firmware v1.1 or later

SIPLUS NET CP 1242-7 V2

HOTFIXUpdate SIPLUS NET CP 1242-7 V2 to firmware v3.3.46 or later

SIPLUS S7-1200 CP 1243-1

HOTFIXUpdate SIPLUS S7-1200 CP 1243-1 and CP 1243-1 RAIL to firmware v3.3.46 or later

SCALANCE M804PB

HOTFIXUpdate SCALANCE M804PB, M812-1, M816-1, M826-2, M874-2, M874-3, M876-3, M876-4, MUM856-1, and S615 to firmware v7.1 or later

RUGGEDCOM RM1224 LTE(4G) EU

HOTFIXUpdate RUGGEDCOM RM1224 LTE(4G) EU and NAM to firmware v7.1 or later

SIMATIC RTU3010C

HOTFIXUpdate SIMATIC RTU3010C, RTU3030C, RTU3031C, RTU3041C to firmware v5.0.14 or later

SINEMA Remote Connect Client

HOTFIXUpdate SINEMA Remote Connect Client to v3.1 or later

Long-term hardening

0/2

HARDENINGSegment control system networks and place communication processors, routers, and RTUs behind firewalls with access restricted to necessary engineering and monitoring stations only

HARDENINGFor remote access requirements, enforce VPN-based access with the latest available security patches applied to VPN systems

CVEs (2)

CVE-2021-22901 CVE-2021-22924

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/849a5d97-a0d1-4724-ac1d-82a15b68bf14

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.