Siemens SIMATIC, SIPLUS, and TIM

Monitor5.9ICS-CERT ICSA-24-256-09Sep 10, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Multiple NULL pointer dereference vulnerabilities exist in the web server implementations of Siemens SIMATIC CP communication modules (versions before 3.5.20) and TIM 1531 IRC terminal modules (versions before 2.4.8), as well as in SIMATIC HMI Comfort Panels, SIMATIC IPC DiagBase, SIMATIC IPC DiagMonitor, and SIMATIC WinCC Runtime Advanced for which no patch is available. An attacker with network access to the webserver can trigger a NULL pointer dereference that crashes the webserver process, resulting in denial of service.

What this means

What could happen

A NULL pointer dereference in the web server of these communication modules and HMI devices could allow an attacker to crash the webserver, disrupting remote monitoring and control of the device until the system is manually restarted.

Who's at risk

Manufacturing facilities using Siemens communication modules (SIMATIC CP series) and terminal/HMI devices should care about this vulnerability. It affects remote monitoring and access to these devices. The SIMATIC HMI Comfort Panels and SIMATIC IPC diagnostic products have no patch available and must rely on workarounds.

How it could be exploited

An attacker with network access to the webserver on the affected device sends a specially crafted request that triggers a NULL pointer dereference, causing the webserver process to crash and become unavailable. This prevents legitimate operators from accessing the device remotely.

Prerequisites

Network access to the webserver port (typically 80/443)
Webserver must be enabled on the device
High attack complexity (non-trivial trigger conditions)

Remotely exploitableNo authentication required for the webserverHigh attack complexity (limits practical exploitation)No patch available for HMI Comfort Panels and IPC DiagBase/DiagMonitor/WinCC Runtime Advanced

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (12)

8 with fix4 EOL

ProductAffected VersionsFix Status

SIMATIC WinCC Runtime AdvancedAll versionsNo fix (EOL)

SIMATIC CP 1242-7 V2 (incl. SIPLUS variants)<V3.5.203.5.20

SIMATIC CP 1243-1 (incl. SIPLUS variants)<V3.5.203.5.20

SIMATIC CP 1243-1 DNP3 (incl. SIPLUS variants)<V3.5.203.5.20

SIMATIC CP 1243-1 IEC (incl. SIPLUS variants)<V3.5.203.5.20

SIMATIC CP 1243-7 LTE<V3.5.203.5.20

SIMATIC CP 1243-8 IRC<V3.5.203.5.20

SIPLUS TIM 1531 IRC<V2.4.82.4.8

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDDisable the web server on affected devices that cannot be updated

HARDENINGRestrict network access to the device webserver using firewall rules; ensure devices are not directly reachable from the internet

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

SIPLUS TIM 1531 IRC

HOTFIXUpdate SIPLUS TIM 1531 IRC and TIM 1531 IRC to firmware version 2.4.8 or later

All products

HOTFIXUpdate SIMATIC CP 1242-7 V2, CP 1243-1 variants, CP 1243-7 LTE, and CP 1243-8 IRC to firmware version 3.5.20 or later

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: SIMATIC WinCC Runtime Advanced, SIMATIC HMI Comfort Panels (incl. SIPLUS variants), SIMATIC IPC DiagBase, SIMATIC IPC DiagMonitor. Apply the following compensating controls:

HARDENINGPlace all affected devices behind a firewall and isolate from business networks

CVEs (3)

CVE-2023-28827 CVE-2023-30755 CVE-2023-30756

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b923ad70-c065-456a-a8dc-f5702b37862d