Multiple NTP-Client Related Vulnerabilities in SIMATIC CP 443-1 OPC UA

Act Now9.8SSA-211752Jun 8, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

All versions of the SIMATIC CP 443-1 OPC UA contain multiple vulnerabilities in the NTP client component, including improper input validation (CWE-20), buffer overflow (CWE-120), and authentication bypass (CWE-287). These vulnerabilities allow remote code execution without credentials. No firmware update is available from Siemens at this time.

What this means

What could happen

An attacker on the network could send malformed NTP packets to the CP 443-1 OPC UA module, triggering buffer overflows or other memory corruption that could allow remote code execution and complete control of the device, disrupting OPC UA communications and potentially affecting downstream SCADA or HMI systems that depend on it.

Who's at risk

Water utilities and electric utilities using SIMATIC CP 443-1 OPC UA modules for SCADA communication, data acquisition, or remote I/O bridging. Any facility relying on OPC UA connectivity to industrial controllers or human-machine interfaces (HMIs) is at risk. This affects all firmware versions with no patch currently available.

How it could be exploited

An attacker with network access to the CP 443-1 OPC UA sends crafted NTP protocol packets to port 123 (UDP). The vulnerable NTP client component fails to validate packet structure properly, allowing buffer overflow or memory corruption. The attacker achieves remote code execution on the module without credentials, and can then manipulate OPC UA data or disable the module entirely.

Prerequisites

Network access to UDP port 123 on the CP 443-1 OPC UA module
Device must be running any version of SIMATIC CP 443-1 OPC UA
No authentication required

Remotely exploitableNo authentication requiredLow complexity attackHigh EPSS score (34.9%)No patch availableAffects critical communication infrastructure

Exploitability

High exploit probability (EPSS 34.9%)

Affected products (1)

ProductAffected VersionsFix Status

SIMATIC CP 443-1 OPC UAAll versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDImplement network segmentation and firewall rules to restrict inbound UDP port 123 traffic to the CP 443-1 OPC UA module—allow only from trusted NTP servers or internal timekeeping infrastructure

WORKAROUNDDisable NTP client functionality on the CP 443-1 OPC UA if not required for operation; use an alternative time synchronization method if available

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor network traffic to and from the module for unusual NTP packets or unexpected time-sync requests

Mitigations - no patch available

0/2

SIMATIC CP 443-1 OPC UA has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGPlace the CP 443-1 OPC UA on an isolated or protected network segment separate from untrusted or internet-facing networks

HARDENINGEstablish a change control process to evaluate and test any future security patches from Siemens when they become available

CVEs (15)

CVE-2015-7705 CVE-2015-7853 CVE-2015-8138 CVE-2016-1547 CVE-2016-1548 CVE-2016-1550 CVE-2016-2518 CVE-2016-4953 CVE-2016-4954 CVE-2016-4955 CVE-2016-4956 CVE-2016-7431 CVE-2016-7433 CVE-2016-9042 CVE-2017-6458

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d2b55aa1-0b12-45f9-ba82-c77f7673df8a