Siemens SIMATIC NET CP, SINEMA and SCALANCE

Plan PatchCVSS 7.5ICS-CERT ICSA-25-259-03Feb 8, 2022

SiemensTransportation

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Integer overflow vulnerabilities in Siemens industrial network communication modules (SCALANCE M-series routers, SIMATIC CP communication processors, SCALANCE SC switches, and SINEMA Remote Connect Server). A remote attacker can send a specially crafted packet to trigger an integer overflow in the device firmware, causing denial of service. Affected versions include SCALANCE M-series firmware prior to V7.1, SIMATIC CP 1242-7/1243/1243-7/1243-8/1542SP/1543/1543SP/1545 firmware prior to their respective fixed versions (V3.3.46, V2.2.28, V3.0.22, or V1.1), SCALANCE SC622/632/636/642/646 firmware prior to V2.3, and SINEMA Remote Connect Server prior to V3.1. The issue is identified as CVE-2021-41991 and relates to CWE-190 (integer overflow or wraparound).

What this means

What could happen

An attacker can remotely trigger an integer overflow in these Siemens network communication modules, causing them to stop functioning (denial of service). This would interrupt data transfer for PLCs and industrial controllers that depend on these devices for remote connectivity.

Who's at risk

This vulnerability affects Siemens industrial network communication modules used in manufacturing plants, water treatment facilities, and transportation systems. Specifically: SCALANCE M-series ADSL/SHDSL routers and LTE cellular modules that provide remote connectivity for PLCs and controllers; SIMATIC CP (communication processors) used in S7-1200 and S7-1500 PLCs; SCALANCE SC managed switches; and SINEMA Remote Connect Server for remote maintenance. Transportation, utilities, and manufacturing sectors that rely on these devices for remote PLC access and WAN connectivity are at risk.

How it could be exploited

An attacker with network access to the affected device sends a specially crafted packet that triggers an integer overflow in the device firmware. The device stops responding or crashes, breaking network connectivity for the PLC or controller it serves.

Prerequisites

Network access to the affected device's communication interface (Ethernet port or remote interface)
No authentication required

remotely exploitableno authentication requiredlow complexityno patch available for any affected productaffects industrial communication infrastructure

Exploitability

Some exploitation risk — EPSS score 2.5%

Affected products (82)

41 with fix41 pending

ProductAffected VersionsFix Status

SCALANCE SC632-2C< V2.32.3

SCALANCE SC636-2C< V2.32.3

SCALANCE SC642-2C< V2.32.3

SCALANCE SC646-2C< V2.32.3

SIMATIC CP 1242-7 V2< V3.3.463.3.46

Remediation & Mitigation

0/10

Do now

0/3

SIMATIC CP 1242-7 V2

WORKAROUNDFor SIMATIC CP 1242-7 V2, CP 1243-1, CP 1243-7 LTE, CP 1243-8 IRC, and SIPLUS equivalents: Only deploy certificates via TIA portal that were created with TIA portal

All products

HARDENINGRestrict network access to affected devices using firewall rules; allow only necessary traffic to required ports from trusted engineering workstations and supervisory systems

HARDENINGIsolate remote connectivity devices (M-series ADSL/SHDSL routers, LTE modules) from direct internet exposure; place behind VPN or demilitarized zone (DMZ) with strict ingress filtering

Schedule — requires maintenance window

0/7

Patching may require device reboot — plan for process interruption

SCALANCE S615

HOTFIXUpdate SCALANCE M816-1 ADSL-Router, M874-2, M874-3, M876 series, MUM853-1, MUM856-1, M812-1 ADSL-Router, M826-2 SHDSL-Router, M804PB, RUGGEDCOM RM1224 LTE, and SCALANCE S615 to firmware V7.1 or later

SIMATIC CP 1242-7 V2

HOTFIXUpdate SIMATIC CP 1242-7 V2, CP 1243-1, CP 1243-7 LTE, CP 1243-8 IRC, and SIPLUS equivalents to firmware V3.3.46 or later

SIMATIC CP 1542SP-1

HOTFIXUpdate SIMATIC CP 1542SP-1, CP 1542SP-1 IRC, CP 1543SP-1, and SIPLUS ET 200SP equivalents to firmware V2.2.28 or later

SIMATIC CP 1543-1

HOTFIXUpdate SIMATIC CP 1543-1 and SIPLUS NET CP 1543-1 to firmware V3.0.22 or later

SIMATIC CP 1545-1

HOTFIXUpdate SIMATIC CP 1545-1 to firmware V1.1 or later

SCALANCE SC622-2C

HOTFIXUpdate SCALANCE SC622-2C, SC632-2C, SC636-2C, SC642-2C, SC646-2C to firmware V2.3 or later

SINEMA Remote Connect Server

HOTFIXUpdate SINEMA Remote Connect Server to V3.1 or later

CVEs (2)

CVE-2021-41990 CVE-2021-41991

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/54a6ea24-b6fa-43a3-a8e4-5c4494fe0a4e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.