OTPulse

Siemens Industrial Products

Plan PatchCVSS 7.5ICS-CERT ICSA-23-103-10Apr 11, 2023
SiemensManufacturingTransportation
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Multiple denial of service vulnerabilities exist in Siemens industrial communication modules (SIMATIC CP 1242-7, CP 1243 series, CP 1542SP/1543SP, CP 443-1, and TIM 1531 IRC) that allow an attacker with network access to the webserver to cause it to crash or become unresponsive. The vulnerabilities are caused by improper handling of certain inputs (CWE-416 use-after-free, CWE-833 deadlock, CWE-770 allocation with excessive size). An attacker can trigger these conditions by sending specially crafted network traffic to the affected module's webserver, disrupting network communications.

What this means
What could happen
An attacker with network access to the web interface of these Siemens communication modules could cause a denial of service, interrupting network traffic or control communications and potentially stopping production or critical infrastructure operations.
Who's at risk
Manufacturing and transportation facilities using Siemens industrial communication modules (CP 1242/1243/1542/1543 series, CP 443-1, or TIM 1531 IRC) for network connectivity in their control systems. This includes water authorities and utilities using these modules for SCADA communications or inter-PLC networking.
How it could be exploited
An attacker on the network sends malformed requests or excessive traffic to the webserver running on the affected communication module (CP 1242-7, CP 1243 series, CP 1542SP/1543SP, CP 443-1, or TIM 1531 IRC). The vulnerability in how the webserver handles certain inputs causes it to crash or become unresponsive, cutting off communications through that module.
Prerequisites
  • Network access to port 80/443 of the affected Siemens communication module
  • No authentication required
remotely exploitableno authentication requiredlow complexityaffects production network availability
Exploitability
Unlikely to be exploited — EPSS score 0.7%
Affected products (22)
22 with fix
ProductAffected VersionsFix Status
SIMATIC CP 1242-7 V2<V3.4.293.4.29
SIMATIC CP 1243-1<V3.4.293.4.29
SIMATIC CP 1243-1 DNP3 (incl. SIPLUS variants)<V3.4.293.4.29
SIMATIC CP 1243-1 IEC (incl. SIPLUS variants)<V3.4.293.4.29
SIMATIC CP 1243-7 LTE EU<V3.4.293.4.29
Remediation & Mitigation
0/11
Do now
0/2
WORKAROUNDRestrict network access to the web interface using firewall rules or access control lists to only authorized engineering workstations
WORKAROUNDDisable the webserver on affected modules if not required for operations
Schedule — requires maintenance window
0/9

Patching may require device reboot — plan for process interruption

SIMATIC CP 1242-7 V2
HOTFIXUpdate SIMATIC CP 1242-7 V2 to firmware version 3.4.29 or later
SIMATIC CP 1243-1
HOTFIXUpdate SIMATIC CP 1243-1 and variants (DNP3, IEC) to firmware version 3.4.29 or later
SIMATIC CP 1243-8 IRC
HOTFIXUpdate SIMATIC CP 1243-8 IRC to firmware version 3.4.29 or later
SIMATIC CP 1542SP-1
HOTFIXUpdate SIMATIC CP 1542SP-1 and CP 1542SP-1 IRC to firmware version 2.3 or later
SIMATIC CP 1543SP-1
HOTFIXUpdate SIMATIC CP 1543SP-1 to firmware version 2.3 or later
SIMATIC CP 443-1
HOTFIXUpdate SIMATIC CP 443-1 and CP 443-1 Advanced to firmware version 3.3 or later
SIPLUS TIM 1531 IRC
HOTFIXUpdate TIM 1531 IRC and SIPLUS TIM 1531 IRC to firmware version 2.3.6 or later
All products
HOTFIXUpdate SIMATIC CP 1243-7 LTE (EU and US variants) to firmware version 3.4.29 or later
HOTFIXUpdate SIPLUS variants (ET 200SP, NET, S7-1200) to their respective firmware versions (3.4.29, 3.3, or 2.3 depending on product)
View full CISA ICS-CERT advisory
API: /api/v1/advisories/a1864301-ae7e-4720-a1c8-e0cec8d70c20

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.