Siemens SIMATIC
Act Now7.4ICS-CERT ICSA-23-222-07Aug 8, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
A type confusion vulnerability in OpenSSL X.400 address processing (CVE-2023-0286) affects multiple Siemens SIMATIC controllers. An attacker could craft a malicious X.509 certificate with an invalid address type in an X.400 address field that would be mishandled during processing, potentially allowing arbitrary code execution or denial of service. The vulnerability requires the affected device to be configured with certificate validation or encryption features that use the vulnerable OpenSSL code path.
What this means
What could happen
An attacker could execute arbitrary code on the PLC/controller, altering process setpoints, disabling safety functions, or stopping industrial operations. Alternatively, the device could crash, interrupting production.
Who's at risk
Manufacturing and transportation organizations using Siemens SIMATIC S7-1500, S7-1200, S7-PLCSIM Advanced, SIPLUS ET 200SP, SIPLUS S7-1500, SIMATIC Drive Controllers, SIMATIC IPC DiagBase, and SIMATIC IPC DiagMonitor should assess their inventory. Particular concern for any SIMATIC S7-1500 CPU models running firmware versions before 2.9.7 or 3.0.3, S7-1200 before version 4.7, and software controller instances.
How it could be exploited
An attacker crafts a malicious X.509 certificate with a malformed X.400 address field and presents it during TLS/SSL handshake to a device that validates certificates. The type confusion in OpenSSL's X.400 parsing causes memory corruption, which the attacker can leverage to run commands on the CPU or trigger a crash. Access requires the device to be network-reachable and configured to validate remote certificates.
Prerequisites
- Network access to port used for certificate exchange (typically TLS/port 443 or proprietary management port)
- Device must be configured to validate or process X.509 certificates
- Attacker must be able to present a crafted certificate to the device (man-in-the-middle position or via trusted certificate authority compromise)
High EPSS score (88.5% exploit probability)Remotely exploitable over networkType confusion vulnerability allows memory corruptionAffects critical industrial control equipmentMultiple product lines and models impactedSome products have no fix available (end-of-life)
Exploitability
High exploit probability (EPSS 88.5%)
Affected products (122)
101 with fix21 pending
ProductAffected VersionsFix Status
SIMATIC S7-1500 CPU 1513F-1 PN<V2.9.72.9.7
SIMATIC S7-1500 CPU 1513F-1 PN<V3.0.33.0.3
SIMATIC S7-1500 CPU 1513R-1 PN<V2.9.72.9.7
SIMATIC S7-1500 CPU 1513R-1 PN<V3.0.33.0.3
SIMATIC S7-1500 CPU 1514SP F-2 PN<V3.0.33.0.3
Remediation & Mitigation
0/9
Do now
0/2SIMATIC IPC DiagBase
WORKAROUNDFor products with no fix available (SIMATIC IPC DiagBase, DiagMonitor, and specific CPU models marked 'All versions'), disable or isolate certificate-based authentication features if not actively required for operations
All products
HARDENINGRestrict network access to management/engineering ports on all SIMATIC controllers using firewall rules to only trusted engineering workstations and avoid exposing certificate validation interfaces to untrusted networks
Schedule — requires maintenance window
0/6Patching may require device reboot — plan for process interruption
SIMATIC Drive Controller CPU 1504D TF
HOTFIXUpdate SIMATIC Drive Controller CPU 1504D TF and 1507D TF to firmware version 2.9.7 or 3.0.3 as applicable
SIMATIC S7-1500 Software Controller V2
HOTFIXUpdate SIMATIC S7-1500 Software Controller V2 to version 21.9.7 or later and V3 to version 30.1.0 or later
SIMATIC S7-PLCSIM Advanced
HOTFIXUpdate SIMATIC S7-PLCSIM Advanced to version 6.0 or later
All products
HOTFIXUpdate SIMATIC S7-1500 CPUs with firmware version 2.9.7 or 3.0.3 as applicable to your model
HOTFIXUpdate SIMATIC S7-1200 CPUs to firmware version 4.7 or later
HOTFIXUpdate SIPLUS ET 200SP and SIPLUS S7-1500 controllers to firmware version 2.9.7 or 3.0.3 as applicable
Long-term hardening
0/1HARDENINGMonitor Siemens security advisories for available patches for products currently marked as having no fix available
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/a4d174ca-9c08-44cb-8082-61f1f403f5ce