Siemens Industrial Products

Plan Patch7.3ICS-CERT ICSA-24-256-08Sep 10, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A Socket.IO vulnerability in multiple Siemens industrial products allows a remote attacker to cause denial of service by sending a specially crafted Socket.IO packet. The malformed packet triggers an uncaught exception in the Node.js process, crashing the affected application (AI Model Deployer, DFM IED UI, LiveTwin, SIMATIC PCS neo, SIMATIC WinCC variants, SIMATIC WinCC Runtime Professional, and TIA Administrator). The vulnerability has CVSS score 7.3 (network-based, low complexity, no authentication needed, partial impact to confidentiality, integrity, and availability).

What this means

What could happen

An attacker can send a malformed Socket.IO packet to crash the Node.js process running these applications, causing them to become unavailable. For operators, this could interrupt monitoring, control interfaces, or industrial edge computing operations until the service restarts.

Who's at risk

Siemens industrial edge devices, monitoring platforms, and engineering workstations running affected versions. This includes water and electric utilities using SIMATIC WinCC, PCS neo, or Industrial Edge applications for SCADA, HMI, or process monitoring. Affects both Versions 7.4/7.5/8.0 of WinCC and engineering platforms like TIA Administrator and LiveTwin.

How it could be exploited

An attacker needs network access to the affected application's Socket.IO port (typically exposed on port 443 or custom ports). They send a specially crafted Socket.IO packet that triggers an uncaught exception in the Node.js runtime, crashing the service and causing denial of service.

Prerequisites

Network access to the affected product's Socket.IO listener port
No authentication required
Product must be running and Socket.IO enabled

Remotely exploitable over networkNo authentication requiredLow complexity attackAffects operational monitoring and control interfacesNo patch available for WinCC V7.4 and Runtime Professional V17

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (12)

10 with fix2 EOL

ProductAffected VersionsFix Status

SIMATIC WinCC Runtime Professional V17All versionsNo fix (EOL)

AI Model Deployer<V1.11.1

Data Flow Monitoring Industrial Edge Device User Interface (DFM IED UI)<V0.0.60.0.6

LiveTwin Industrial Edge app<V2.42.4

SIMATIC PCS neo V4.1<V4.1 Update 24.1 Update 2

SIMATIC PCS neo V5.0<V5.0 Update 15.0 Update 1

SIMATIC WinCC Runtime Professional V18<V18 Update 518 Update 5

SIMATIC WinCC Runtime Professional V19<V19 Update 319 Update 3

Remediation & Mitigation

0/13

Do now

0/2

SIMATIC WinCC Runtime Professional V17

WORKAROUNDFor SIMATIC WinCC Runtime Professional V17 and SIMATIC WinCC V7.4 (no patches available), apply strict network access controls and monitor for unexpected service crashes

All products

HARDENINGRestrict network access to affected products using firewall rules; ensure applications are not exposed to the internet

Schedule — requires maintenance window

0/10

Patching may require device reboot — plan for process interruption

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: SIMATIC WinCC Runtime Professional V17, SIMATIC WinCC V7.4. Apply the following compensating controls:

HARDENINGSegment industrial edge and control system networks from business networks

CVEs (1)

CVE-2024-38355

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close