Siemens SIMATIC CP products

Monitor6.7ICS-CERT ICSA-23-285-01Oct 10, 2023

Attack VectorLocal

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

SIMATIC CP 1604, CP 1616, CP 1623, CP 1626, and CP 1628 devices contain direct memory access vulnerabilities (CWE-284, CWE-400) that allow an attacker with local access to execute code, access the PROFINET network without restrictions, or cause denial of service. No firmware updates are available from Siemens. Affected devices are used for industrial process communication and PROFINET network connectivity.

What this means

What could happen

An attacker with local access to a SIMATIC CP device could execute arbitrary code, bypass PROFINET network security controls, or crash the device, disrupting communications between your engineering network and industrial control systems.

Who's at risk

Water utilities, electric utilities, and any industrial operator using Siemens SIMATIC CP communication modules (CP 1604, CP 1616, CP 1623, CP 1626, CP 1628) for PROFINET connectivity between engineering workstations, PLCs, and field devices. These devices are commonly used in SCADA systems, process control networks, and distributed automation platforms.

How it could be exploited

The attacker gains local access to the SIMATIC CP module (e.g., via shared industrial control network or engineering workstation compromise), then exploits a direct memory access vulnerability to write code into device memory and execute it, or to access the PROFINET network interface without authentication.

Prerequisites

Local access to the SIMATIC CP device or attached network
High privileges on the engineering workstation or access to the industrial control network where the device operates
No authentication or special credentials required to trigger the memory access vulnerability once local access is obtained

no patch availableaffects industrial control system communicationdirect memory access vulnerabilitycould enable PROFINET network compromiselow exploit probability but high impact if exploited

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (5)

5 EOL

ProductAffected VersionsFix Status

SIMATIC CP 1616 (6GK1161-6AA02)All versionsNo fix (EOL)

SIMATIC CP 1623 (6GK1162-3AA00)All versionsNo fix (EOL)

SIMATIC CP 1626 (6GK1162-6AA01)All versionsNo fix (EOL)

SIMATIC CP 1628 (6GK1162-8AA00)All versionsNo fix (EOL)

SIMATIC CP 1604 (6GK1160-4AA01)All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGRestrict physical and network access to SIMATIC CP modules to authorized personnel only. Require VPN or SSH tunneling for remote engineering workstation connections.

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor PROFINET network traffic for unauthorized access attempts or anomalous behavior using network intrusion detection or process monitoring tools.

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: SIMATIC CP 1616 (6GK1161-6AA02), SIMATIC CP 1623 (6GK1162-3AA00), SIMATIC CP 1626 (6GK1162-6AA01), SIMATIC CP 1628 (6GK1162-8AA00), SIMATIC CP 1604 (6GK1160-4AA01). Apply the following compensating controls:

HARDENINGImplement network segmentation to restrict local access to SIMATIC CP devices. Isolate the industrial control network from general IT networks using firewalls and access control lists.

HARDENINGFollow Siemens' operational guidelines for Industrial Security (available at https://www.siemens.com/cert/operational-guidelines-industrial-security) to configure the environment with defense-in-depth controls.

CVEs (2)

CVE-2023-37194 CVE-2023-37195

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e6d83c90-a1bd-48c0-ad0e-4a40fbd59649