OTPulse
FeedAboutContact

Siemens CP343-1 Devices

Monitor7.5ICS-CERT ICSA-24-046-04Feb 13, 2024
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

The SIMATIC CP 343-1, CP 343-1 Lean, SIPLUS NET CP 343-1, and SIPLUS NET CP 343-1 Lean communication modules do not properly validate TCP sequence numbers. This allows an unauthenticated remote attacker to inject spoofed TCP RST (reset) packets and terminate active connections, creating a denial of service condition. The issue affects all versions of these products, and no vendor fix is available.

What this means
What could happen
An attacker can remotely interrupt communications with these communication modules by sending crafted packets, causing the device to disconnect and disrupting data flow between your control network and connected systems until manual recovery.
Who's at risk
Water utilities and electric utilities that use Siemens SIMATIC systems for remote communications and data acquisition, particularly those with CP 343-1 communication modules managing connections between control networks and field devices or remote locations.
How it could be exploited
An attacker on the network sends forged TCP packets with spoofed sequence numbers that the CP 343-1 incorrectly accepts as valid. These packets can reset active connections, causing the communication module to drop its session and stop passing data between the SIMATIC system and remote networks.
Prerequisites
  • Network access to the device (any port on which the CP 343-1 accepts TCP connections)
  • No authentication required
  • Device must be actively communicating over TCP
remotely exploitableno authentication requiredlow complexityno patch availableaffects network availability
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (4)
4 EOL
ProductAffected VersionsFix Status
SIMATIC CP 343-1All versionsNo fix (EOL)
SIPLUS NET CP 343-1All versionsNo fix (EOL)
SIMATIC CP 343-1 LeanAll versionsNo fix (EOL)
SIPLUS NET CP 343-1 LeanAll versionsNo fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDRestrict network access to CP 343-1 devices to only authorized engineering workstations and SCADA master stations using ACLs or firewall rules
Mitigations - no patch available
0/3
The following products have reached End of Life with no planned fix: SIMATIC CP 343-1, SIPLUS NET CP 343-1, SIMATIC CP 343-1 Lean, SIPLUS NET CP 343-1 Lean. Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate the CP 343-1 devices from untrusted network segments using firewalls or secure managed switches
HARDENINGMonitor network traffic to and from CP 343-1 devices for anomalous TCP behavior or frequent connection resets
HARDENINGReview and follow Siemens' operational guidelines for Industrial Security to harden the communication environment
View full CISA ICS-CERT advisory
โ†‘โ†“ Navigate ยท Esc Close
API: /api/v1/advisories/c6cb59e2-cc04-47b1-9afb-c36af5aa4b1e
Siemens CP343-1 Devices | CVSS 7.5 - OTPulse