Siemens SIMATIC RTLS Gateways
Act NowCVSS 7.5ICS-CERT ICSA-24-046-03Feb 13, 2024
Siemens
Attack path
Attack VectorAdjacent
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
Siemens SIMATIC RTLS Gateway models (RTLS4030G and RTLS4430G) are affected by TCP/IP stack vulnerabilities disclosed as "Ripple20" by JSOF research. These vulnerabilities allow an attacker on the adjacent network segment to potentially execute code on the gateway device without authentication. The vulnerabilities affect all versions of the affected products, and no vendor fix is currently available. Siemens recommends protecting network access through appropriate mechanisms and following operational security guidelines.
What this means
What could happen
An attacker on the local network segment with access to a SIMATIC RTLS Gateway could execute code on the device and compromise the real-time location tracking system that monitors assets and personnel in your facility. This could disrupt tracking visibility, alter location data, or allow manipulation of the wireless network infrastructure.
Who's at risk
Water utilities, electric utilities, manufacturing plants, and logistics operations using Siemens SIMATIC RTLS Gateway systems for real-time asset and personnel location tracking. The RTLS4030G and RTLS4430G gateway models are affected across all firmware versions regardless of regional certification (ETSI, FCC, ISED, CMIIT).
How it could be exploited
An attacker with adjacent network access (same LAN segment or wireless network) could send specially crafted TCP/IP packets to exploit the Ripple20 vulnerabilities in the gateway's TCP/IP stack. The attacker does not need credentials or user interaction. Successful exploitation could allow the attacker to execute arbitrary code on the gateway device.
Prerequisites
- Adjacent network access (same LAN segment, WiFi network, or wired connection to the same switch)
- Network path to the RTLS Gateway device
- No authentication required
no patch availableremotely exploitable from adjacent networkhigh EPSS score (38.2%)low complexity attackaffects critical infrastructure location tracking
Exploitability
Likely to be exploited — EPSS score 42.9%
Public Proof-of-Concept (PoC) on GitHub (2 repositories)
Affected products (5)
5 EOL
ProductAffected VersionsFix Status
SIMATIC RTLS Gateway RTLS4030G, CMIIT (6GT2701-5DB23)All versionsNo fix (EOL)
SIMATIC RTLS Gateway RTLS4030G, ETSI (6GT2701-5DB03)All versionsNo fix (EOL)
SIMATIC RTLS Gateway RTLS4030G, FCC (6GT2701-5DB13)All versionsNo fix (EOL)
SIMATIC RTLS Gateway RTLS4030G, ISED (6GT2701-5DB33)All versionsNo fix (EOL)
SIMATIC RTLS Gateway RTLS4430G, Chirp, ETSI, FCC, ISED, IP65 (6GT2701-5CB03)All versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2HARDENINGImplement network segmentation to isolate RTLS Gateway devices on a separate VLAN with restricted access from general IT networks
WORKAROUNDApply firewall rules to limit network access to RTLS Gateway devices to only authorized management and sensor endpoints
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
WORKAROUNDDisable or restrict unused network services and ports on the RTLS Gateway if supported by the device firmware
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: SIMATIC RTLS Gateway RTLS4030G, CMIIT (6GT2701-5DB23), SIMATIC RTLS Gateway RTLS4030G, ETSI (6GT2701-5DB03), SIMATIC RTLS Gateway RTLS4030G, FCC (6GT2701-5DB13), SIMATIC RTLS Gateway RTLS4030G, ISED (6GT2701-5DB33), SIMATIC RTLS Gateway RTLS4430G, Chirp, ETSI, FCC, ISED, IP65 (6GT2701-5CB03). Apply the following compensating controls:
HARDENINGMonitor Siemens security advisories for future patches or updated guidance on these products
HARDENINGEvaluate migration to newer RTLS Gateway models if Siemens releases patched versions in the future
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/efa3c542-8870-44c1-8d99-0221c3e99cc4Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.