OpenSSL Vulnerability in Industrial Products
Plan Patch7.4SSA-244969Feb 8, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
OpenSSL vulnerability (CWE-125: out-of-bounds read) in versions 1.1.1 < 1.1.1l and 1.0.2 < 1.0.2za. Affects Siemens industrial networking devices, controllers, and software that bundle vulnerable OpenSSL libraries. An attacker can cause denial of service or read private memory content (such as private keys or session data).
What this means
What could happen
An attacker with network access could read sensitive data from device memory (encryption keys, credentials) or crash the device, disrupting network connectivity to control systems. Affected devices include industrial switches, routers, and communications modules that handle critical data flows.
Who's at risk
Water utilities, electric utilities, and manufacturing plants using Siemens industrial networking products. Specifically: SCALANCE M/W/S series industrial switches and routers used for connecting remote RTUs, SCADA systems, and distributed I/O; RUGGEDCOM industrial routers in remote substations or field sites; SIMATIC controllers (S7-1200 and CP modules) in PLCs; and Industrial Edge edge computing devices. Any facility with these devices in the OT network should review their inventory.
How it could be exploited
An attacker can send a specially crafted network request to any Siemens product running vulnerable OpenSSL (typically on the management or industrial network interface). The out-of-bounds read allows the attacker to extract data from the device's memory without authentication, or trigger a crash by consuming excessive resources.
Prerequisites
- Network access to the affected device on the port or interface where OpenSSL is used (typically HTTP/HTTPS management port, often 80/443)
- No authentication required to exploit the vulnerability
- Device must be running a vulnerable version of OpenSSL
Remotely exploitable over networkNo authentication requiredLow complexity exploitAffects memory confidentiality and availabilityLarge number of affected product linesMultiple products have no patch available (end-of-life)
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (173)
148 with fix25 pending
ProductAffected VersionsFix Status
Industrial Edge - Machine Insight AppAll versionsNo fix yet
Industrial Edge - PROFINET IO Connector< V1.1.11.1.1
RUGGEDCOM RM1224 LTE(4G) EU< V7.17.1
RUGGEDCOM RM1224 LTE(4G) NAM< V7.17.1
RUGGEDCOM ROX MX5000< V2.15.02.15.0
Remediation & Mitigation
0/24
Do now
0/1HARDENINGRestrict network access to affected devices using firewall rules; limit management port access (HTTP/HTTPS) to authorized engineering networks only
Schedule — requires maintenance window
0/21Patching may require device reboot — plan for process interruption
SIMATIC CP 1242-7 V2
HOTFIXUpdate SIMATIC CP 1242-7 V2, CP 1243-x, CP 1243-8 IRC, SIPLUS NET CP modules to firmware 3.3.46 or later
SIMATIC CP 1542SP-1
HOTFIXUpdate SIMATIC CP 1542SP-1, CP 1543SP-1, SIPLUS ET 200SP CP 1543SP-1 variants to firmware 2.2.28 or later
SIMATIC CP 1543-1
HOTFIXUpdate SIMATIC CP 1543-1, SIPLUS NET CP 1543-1 to firmware 3.0.22 or later
SIMATIC CP 1545-1
HOTFIXUpdate SIMATIC CP 1545-1 to firmware 1.1 or later
SIMATIC PCS neo (Administration Console)
HOTFIXUpdate SIMATIC PCS neo Administration Console to version 3.1 SP 1 or later
SIMATIC Process Historian OPC UA Server
HOTFIXUpdate SIMATIC Process Historian OPC UA Server to version 2020 SP1 or later
SINEC NMS
HOTFIXUpdate SINEC NMS to version 1.0.3 or later
SINEMA Remote Connect Server
HOTFIXUpdate SINEMA Remote Connect Server to version 3.1 or later
SINUMERIK Operate
HOTFIXUpdate SINUMERIK Operate to version 4.95 SP1 or later
TIA Administrator
HOTFIXUpdate TIA Administrator to version 1.0 SP7 or later
All products
HOTFIXUpdate SCALANCE X-series (X200/X201/X202/X204/X206/X208/X212/X216/X224/X302/X304/X306/X307/X308/X310/X320/X408) to firmware 4.1.4 or later (or 5.2.6/5.5.2 for IRT variants)
HOTFIXUpdate SCALANCE XF-series (XF201/XF202/XF204/XF206/XF208) to firmware 5.2.6 or later (or 5.5.2 for IRT variants)
HOTFIXUpdate SCALANCE XR324-series to firmware 4.1.4 or later
HOTFIXUpdate SCALANCE M-series routers (M804/M812/M816/M826/M874/M876/MUM) to firmware 7.1 or later
HOTFIXUpdate SCALANCE SC-series (SC622/SC632/SC636/SC642/SC646) to firmware 2.3 or later
HOTFIXUpdate SCALANCE W-series access points (WAM766, WUM766) to firmware 1.2 or later
HOTFIXUpdate SCALANCE W-series (W1748/W1788) M12 variants to firmware 3.0.0 or later
HOTFIXUpdate RUGGEDCOM RM1224 LTE to firmware 7.1 or later
HOTFIXUpdate RUGGEDCOM ROX series (MX5000/RX1400/RX1500/RX1501/RX1510/RX1511/RX1512/RX1524/RX1536/RX5000) to firmware 2.15.0 or later
HOTFIXUpdate Industrial Edge PROFINET IO Connector to version 1.1.1 or later
HOTFIXUpdate SIMATIC S7-1200 CPU family (including SIPLUS variants) to firmware 4.5.2 or later
Long-term hardening
0/2HARDENINGIsolate or air-gap end-of-life SCALANCE W-series (W721/W722/W734/W738/W748/W761/W774/W778/W786/W788) and Industrial Edge Machine Insight App if they cannot be patched
HARDENINGImplement network segmentation to separate management traffic from production OT networks; consider separating these devices onto a protected DMZ
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/f5b7e83d-006c-4e04-a8ea-e51325137252