Siemens Web Server of Industrial Products

Plan Patch7.5ICS-CERT ICSA-23-348-08Dec 12, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A resource exhaustion vulnerability in the webserver component of multiple Siemens industrial communication and drive products allows a remote attacker to cause a denial-of-service condition. An unauthenticated attacker with network access to the webserver can trigger the crash, disrupting remote management and monitoring. Affected products include SIMATIC CP communication processors (models 1242-7 V2, 1243-1, 1243-1 IEC, 1243-7 LTE, 1243-8 IRC, 1543-1) and SINAMICS S210 variable frequency drives. The SIMATIC CP 1243-1 DNP3 variant has no fix available from the vendor.

What this means

What could happen

An attacker could cause a denial-of-service condition on the web server of these industrial communication modules, disrupting remote access and management capabilities for your automation devices. This could prevent operators from monitoring or adjusting process parameters if the webserver is used for device configuration or diagnostics.

Who's at risk

Manufacturing facilities using Siemens SIMATIC CP communication processors (models 1242-7 V2, 1243-1, 1243-7 LTE, 1243-8 IRC, 1543-1) or SINAMICS S210 variable frequency drives should review their deployments. These devices are typically used to provide networking and communication for PLCs and other control devices; any disruption to their webserver could affect your ability to manage and diagnose automation systems remotely.

How it could be exploited

An attacker with network access to the device's webserver could send a crafted request to trigger a resource exhaustion or memory issue that crashes the webserver process. No authentication is required; the attacker needs only to reach the device on the network port where the webserver is listening.

Prerequisites

Network access to the webserver port of the affected device (typically HTTP/HTTPS)
No authentication required
Device must be running a vulnerable firmware version

remotely exploitableno authentication requiredlow complexityaffects device management and diagnostic capabilities

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (9)

8 with fix1 EOL

ProductAffected VersionsFix Status

SIMATIC CP 1242-7 V2 (incl. SIPLUS variants)<V3.4.293.4.29

SIMATIC CP 1243-1 (incl. SIPLUS variants)<V3.4.293.4.29

SIMATIC CP 1243-1 IEC (incl. SIPLUS variants)<V3.4.293.4.29

SIMATIC CP 1243-7 LTE<V3.4.293.4.29

SIMATIC CP 1243-8 IRC<V3.4.293.4.29

SIMATIC CP 1543-1<V3.0.373.0.37

SINAMICS S210 (6SL5...)≥ V6.1 <V6.1 HF26.1 HF2

SIPLUS NET CP 1543-1<V3.0.373.0.37

Remediation & Mitigation

0/6

Do now

0/1

WORKAROUNDRestrict network access to the integrated webserver using firewall rules or access control lists; only allow connections from authorized management networks

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

SINAMICS S210 (6SL5...)

HOTFIXUpdate SINAMICS S210 (6SL5...) to firmware version 6.1 HF2 or later

SIMATIC CP 1543-1

HOTFIXUpdate SIMATIC CP 1543-1 and SIPLUS NET CP 1543-1 to firmware version 3.0.37 or later

All products

HOTFIXUpdate SIMATIC CP 1242-7 V2, CP 1243-1, CP 1243-1 IEC, CP 1243-7 LTE, and CP 1243-8 IRC to firmware version 3.4.29 or later

Mitigations - no patch available

0/2

SIMATIC CP 1243-1 DNP3 (incl. SIPLUS variants) has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGPlace industrial devices behind firewalls and isolate the control system network from the business network to minimize internet exposure

HARDENINGFor remote access requirements, implement a VPN with current security patches and authentication

CVEs (1)

CVE-2023-38380

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/06d396c8-8494-4a98-ab02-3ae9f48d89a3