Siemens TeleControl Server
Act Now10ICS-CERT ICSA-24-319-10Nov 12, 2024
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
TeleControl Server Basic V3.1 contains an unsafe deserialization vulnerability (CWE-502) that allows an unauthenticated attacker to execute arbitrary code on the device. All versions prior to V3.1.2.1 are affected across all product variants (Basic 8 through 5000, including PP and Service Upgrade variants).
What this means
What could happen
An attacker could execute arbitrary code on your TeleControl Server, potentially altering telemetry data, disrupting communication with remote terminal units, or compromising the integrity of your SCADA network. This could cause loss of visibility into field operations and enable manipulation of remote control commands.
Who's at risk
Water utilities and electric utilities running Siemens TeleControl Server Basic for supervisory control or remote terminal unit communications. This includes all TeleControl Server Basic variants (sizes 8 to 5000 stations) used in SCADA systems to aggregate data from and send commands to remote field devices. Also affects packaged versions (PP variants) and service upgrade installations.
How it could be exploited
An attacker on the network sends a malicious serialized object to the TeleControl Server's network interface. The server deserializes the object without validation, triggering arbitrary code execution with the privileges of the TeleControl process. No authentication is required; the attacker only needs network connectivity to the server.
Prerequisites
- Network access to the TeleControl Server on its service port (typically port 502 or 10001, depending on configuration)
- No authentication required
- TeleControl Server V3.1 version running any variant prior to V3.1.2.1
Remotely exploitableNo authentication requiredLow complexity exploitCritical CVSS score (10.0)Affects central SCADA server component
Exploitability
Moderate exploit probability (EPSS 6.6%)
Affected products (13)
13 with fix
ProductAffected VersionsFix Status
TeleControl Server Basic Upgr V3.1<V3.1.2.13.1.2.1
PP TeleControl Server Basic 1000 to 5000 V3.1<V3.1.2.13.1.2.1
PP TeleControl Server Basic 256 to 1000 V3.1<V3.1.2.13.1.2.1
PP TeleControl Server Basic 32 to 64 V3.1<V3.1.2.13.1.2.1
PP TeleControl Server Basic 64 to 256 V3.1<V3.1.2.13.1.2.1
PP TeleControl Server Basic 8 to 32 V3.1<V3.1.2.13.1.2.1
TeleControl Server Basic 1000 V3.1<V3.1.2.13.1.2.1
TeleControl Server Basic 256 V3.1<V3.1.2.13.1.2.1
Remediation & Mitigation
0/4
Do now
0/2WORKAROUNDRestrict network access to the TeleControl Server to only trusted engineering workstations and remote terminal units using firewall rules or access control lists on your network boundary. Block or limit connectivity from untrusted networks.
WORKAROUNDDisable redundancy functionality on the TeleControl Server if it is not actively used in your configuration, as this may reduce the attack surface.
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate TeleControl Server Basic to version 3.1.2.1 or later. This requires a maintenance window and coordination with your operations team to avoid disruption of SCADA telemetry and control functions.
Long-term hardening
0/1HARDENINGImplement network segmentation to isolate SCADA servers from corporate networks and untrusted segments. Use a demilitarized zone (DMZ) or industrial control network boundary for TeleControl Server deployments.
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/7d26abfe-c56d-4ae5-a36e-eb4a962aab7e