Siemens OpenSSL 3.0 Affecting Products
Act NowCVSS 7.5ICS-CERT ICSA-22-349-09Dec 13, 2022
SiemensEnergy
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
OpenSSL 3.0.0 through 3.0.6 contains buffer overflow vulnerabilities (CVE-2022-3602, CVE-2022-3786) in X.509 certificate verification during TLS handshakes. An attacker can craft a malicious certificate with a nameConstraint extension using punycode-encoded internationalized domain names to trigger the overflow. This could cause denial of service (crash) or arbitrary code execution on vulnerable TLS servers that request client certificates or vulnerable TLS clients connecting to attacker-controlled servers. Affected Siemens products include Calibre ICE, Mcenter, SCALANCE X-200RNA, SICAM GridPass, and SIMATIC RTLS Locating Manager.
What this means
What could happen
Buffer overflow in OpenSSL X.509 certificate verification could cause denial of service or allow an attacker to run arbitrary code on your industrial devices. This affects devices that perform TLS authentication with client certificates.
Who's at risk
Energy sector organizations using Siemens industrial devices for power distribution and monitoring should prioritize this. Affected equipment includes Calibre ICE engineering tools, Mcenter automation platforms, SCALANCE X-200RNA industrial switches, SICAM GridPass substation control systems, and SIMATIC RTLS asset tracking devices.
How it could be exploited
An attacker crafts a malicious X.509 certificate with a nameConstraint extension using punycode-encoded internationalized domain names. When the vulnerable device verifies this certificate during TLS handshake (either as a server validating a client certificate or as a client validating a server certificate), the buffer overflow triggers, crashing the process or allowing code execution.
Prerequisites
- Network access to the device's TLS port (typically 443 or another HTTPS/secure port)
- For server exploitation: device must be configured to require client certificate authentication
- For client exploitation: device must connect to an attacker-controlled TLS server
- Device must be running OpenSSL 3.0.0 through 3.0.6
Remotely exploitable over the networkNo authentication required (attacker-crafted certificate triggers vulnerability)Low complexity attack (malicious certificate in specific format)High EPSS score (83.2%) indicating active exploitation riskAffects critical infrastructure communication (TLS authentication)Multiple Siemens industrial products affected
Exploitability
Likely to be exploited — EPSS score 83.5%
Public Proof-of-Concept (PoC) on GitHub (9 repositories)
Affected products (5)
5 with fix
ProductAffected VersionsFix Status
Calibre ICE≥ 2022.4, < 2023.12023.1
Mcenter≥ 5.2.1, < 5.3.05.3.0
SCALANCE X-200RNA family≥ 3.2.7, < 3.2.83.2.8
SICAM GridPass≥ 1.80, < 2.202.20
SIMATIC RTLS Locating Manager≥ 2.13.0.0, < 2.13.0.32.13.0.3
Remediation & Mitigation
0/11
Do now
0/4Mcenter
WORKAROUNDFor Mcenter: audit truststore and remove or restrict any non-essential CA certificates
SICAM GridPass
WORKAROUNDFor SICAM GridPass: do not add CA certificates with nameConstraint extensions containing punycode-encoded internationalized domain names to the truststore
All products
WORKAROUNDFor products with vulnerable TLS server and client certificate authentication: do not configure trust for CA certificates with nameConstraint extensions containing punycode-encoded internationalized domain names
WORKAROUNDFor products with vulnerable TLS client: ensure TLS server certificate verification is enabled
Schedule — requires maintenance window
0/5Patching may require device reboot — plan for process interruption
Calibre ICE
HOTFIXUpdate Calibre ICE to version 2023.1 or later
Mcenter
HOTFIXUpdate Mcenter to version 5.3.0 or later
SCALANCE X-200RNA family
HOTFIXUpdate SCALANCE X-200RNA family to firmware version 3.2.8 or later
SICAM GridPass
HOTFIXUpdate SICAM GridPass to version 2.20 or later
SIMATIC RTLS Locating Manager
HOTFIXUpdate SIMATIC RTLS Locating Manager to version 2.13.0.3 or later
Long-term hardening
0/2HARDENINGImplement network segmentation to isolate industrial control systems from the business network and internet
HARDENINGRestrict network access to these devices using firewalls; do not expose to the internet
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/99cbfaa4-a3b7-47b2-8b9f-9378ca89a951Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.