Siemens SINEC NMS Third-Party

Plan PatchCVSS 9.8ICS-CERT ICSA-23-131-05May 9, 2023

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in third-party components libexpat and libcurl used by SINEC NMS before version 1.0.3.1 allow remote attackers without authentication to compromise confidentiality, integrity, and availability. Affected CWEs include buffer overflow (CWE-121), use-after-free (CWE-416), double-free (CWE-415), improper input validation (CWE-440 and CWE-1286), and cleartext transmission (CWE-319). No public exploit code is currently known, but the vulnerabilities affect widely-used open-source libraries. Siemens recommends updating to SINEC NMS v1.0.3.1 or later and protecting network access with appropriate security controls.

What this means

What could happen

Multiple vulnerabilities in third-party components (libexpat and libcurl) within SINEC NMS could allow an attacker to run arbitrary code, access sensitive data, or disrupt the network management system that oversees critical industrial control devices.

Who's at risk

Water and electric utilities using Siemens SINEC NMS for centralized management of industrial control systems and field devices should prioritize this update. SINEC NMS manages critical network infrastructure; compromise could cascade to affect SCADA systems, RTUs, and PLCs under its supervision.

How it could be exploited

An attacker with network access to SINEC NMS can exploit flaws in libexpat (XML parsing) or libcurl (HTTP client) without authentication. By sending specially crafted requests or files, the attacker could trigger buffer overflows, use-after-free, or other memory corruption bugs to execute code on the management system.

Prerequisites

Network access to SINEC NMS service ports
No authentication required
Default or exposed NMS instance

remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.8)affects management system for critical infrastructure

Exploitability

Some exploitation risk — EPSS score 1.6%

Public Proof-of-Concept (PoC) on GitHub (2 repositories)

Affected products (1)

ProductAffected VersionsFix Status

SINEC NMS<V1.0.3.11.0.3.1

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGRestrict network access to SINEC NMS management interface using firewall rules to limit exposure

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SINEC NMS to version 1.0.3.1 or later

Long-term hardening

0/1

HARDENINGSegment SINEC NMS on a dedicated management network separate from operational control networks

CVEs (9)

CVE-2022-32221 CVE-2022-35252 CVE-2022-35260 CVE-2022-42916 CVE-2022-40674 CVE-2022-42915 CVE-2022-43551 CVE-2022-43552 CVE-2022-43680

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/055199b5-8af4-428d-953f-eec4d41c41bc

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.