Siemens SIMATIC, SIPLUS Products

Plan Patch7.5ICS-CERT ICSA-23-257-01Sep 12, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A denial of service vulnerability exists in OPC UA implementations (ANSI C and C++) used across multiple Siemens SIMATIC products. An unauthenticated remote attacker can send a specially crafted certificate to trigger an integer overflow (CWE-190) in certificate validation, causing the affected service to crash. The vulnerability requires only network access to the OPC UA port; no special configuration, authentication, or user interaction is needed. Siemens has released patches for many products but states that no fixes are available for WinCC V7.4, WinCC Runtime Professional V16/V17/V18, SIMATIC Comfort/Mobile RT (all versions), SIMATIC PCS neo V4.0, SIMATIC IPC DiagMonitor (all versions), and SIMATIC NET PC Software V14.

What this means

What could happen

An attacker can send a specially crafted certificate over the network to crash devices running vulnerable OPC UA implementations, causing them to stop responding and disrupting control of manufacturing, water treatment, or power systems until the device is manually restarted.

Who's at risk

Manufacturing facilities, water treatment plants, power utilities, and transportation systems using Siemens SIMATIC product families. Specifically affected are: WinCC runtime and SCADA software, S7-1500 programmable logic controllers and distributed I/O modules (ET 200SP), Drive Controllers, Cloud Connect gateways, and OPC UA server/client components. End-of-life products (WinCC V7.4, WinCC Runtime Professional V16-V18, PCS neo V4.0) have no vendor fix available.

How it could be exploited

An attacker on the network (or with network access to port 4840 or the OPC UA service port) sends a malformed certificate to the OPC UA server. The server's C/C++ certificate validation code fails to check for an integer overflow when processing the certificate, causing the process to crash. No credentials or special configuration are required.

Prerequisites

Network access to the OPC UA service port (typically 4840)
OPC UA service exposed or reachable from attacker's network location
No authentication required to send the malicious certificate

remotely exploitableno authentication requiredlow complexityaffects critical control system componentsno patch available for multiple product linesdenial of service can halt production or utility operations

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (114)

106 with fix8 pending

ProductAffected VersionsFix Status

SIMATIC WinCC OA V3.19<V3.19 P0053.19 P005

SIMATIC WinCC OPC UA Client< 2.0.0.12.0.0.1

SIMATIC WinCC Runtime Professional V16All versionsNo fix yet

SIMATIC WinCC Runtime Professional V17All versionsNo fix yet

SIMATIC WinCC Runtime Professional V18All versionsNo fix yet

Remediation & Mitigation

0/14

Do now

0/2

WORKAROUNDFor products with no fix available (WinCC V7.4, WinCC RT V16-V18, Comfort/Mobile RT, PCS neo V4.0, IPC DiagMonitor, NET PC Software V14), isolate OPC UA service ports from untrusted networks using firewall rules

WORKAROUNDDisable OPC UA services on devices that do not require remote access or integration

Schedule — requires maintenance window

0/11

Patching may require device reboot — plan for process interruption

Long-term hardening

0/1

HARDENINGSegment OT networks to restrict which devices can communicate with vulnerable engineering workstations or servers running affected OPC UA software

CVEs (1)

CVE-2023-28831

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close