Siemens Brownfield Connectivity Gateway

Plan Patch7.5ICS-CERT ICSA-23-047-04Feb 14, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Siemens Brownfield Connectivity - Gateway versions prior to 1.11 contain multiple vulnerabilities in the underlying Golang implementation that could lead to Denial of Service. An attacker on the network could crash or hang the gateway service, disrupting communication between legacy control systems and modern IT infrastructure. Siemens has released version 1.11 or later to address these issues.

What this means

What could happen

An attacker on the network could send crafted requests to the Brownfield Connectivity Gateway, causing it to stop responding and disrupting communication between legacy control systems and modern IT infrastructure. This could prevent remote monitoring or control of critical OT assets.

Who's at risk

Water authorities and utilities operating legacy SCADA or PLCs connected via Siemens Brownfield Connectivity Gateway. This product bridges older industrial devices to modern networks, so any disruption affects remote visibility and control of process equipment.

How it could be exploited

An attacker with network access to the Brownfield Connectivity Gateway would send malformed or excessive requests designed to crash or hang the Golang-based service. The gateway acts as a bridge between older industrial devices and modern systems, so a DoS attack would sever that communication path without needing credentials or physical access.

Prerequisites

Network access to the Brownfield Connectivity Gateway (typically port 8080 or management interface)
No credentials required
Gateway must be running affected version (<V1.10 or V1.10.1)

Remotely exploitableNo authentication requiredLow attack complexityAffects communication gateway for critical infrastructureNo public exploit available yet

Exploitability

Low exploit probability (EPSS 0.9%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

Brownfield Connectivity - Gateway<V1.101.11

Brownfield Connectivity - GatewayV1.10.11.11

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDRestrict network access to the Brownfield Connectivity Gateway using firewall rules; limit connections to only authorized engineering workstations and control systems

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Brownfield Connectivity Gateway to version 1.11 or later

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate the Brownfield Connectivity Gateway from untrusted networks and the general corporate IT network

CVEs (8)

CVE-2021-41771 CVE-2021-41772 CVE-2021-44716 CVE-2021-44717 CVE-2022-24675 CVE-2022-24921 CVE-2022-27536 CVE-2022-28327

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/aa6fd153-fd76-481a-95eb-732009a817dd