Type Confusion Vulnerability in OpenSSL X.400 Address Processing in SIMATIC Products

Act Now7.4SSA-264815Aug 8, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

A type confusion vulnerability in OpenSSL X.400 address processing (CVE-2023-0286) affects SIMATIC products. The vulnerability exists in OpenSSL's certificate handling code and can be triggered by specially crafted X.400 messages. Affected products include S7-1200, S7-1500, and S7-1500F CPUs, Drive Controller families, ET 200SP Open Controllers, Software Controller versions, PLCSIM Advanced, and diagnostic tools. Siemens has released firmware updates for most products; however, several product variants and all versions of IPC DiagBase and IPC DiagMonitor have no fix available.

What this means

What could happen

An attacker with network access can cause a denial of service by crashing PLCs or industrial controllers, disrupting manufacturing, transportation, or power systems. Some affected devices may also leak sensitive information if exploited.

Who's at risk

Manufacturing and transportation facilities using Siemens SIMATIC automation controllers (S7-1200, S7-1500 series, Drive Controllers, ET 200SP, Software Controller, and PLCSIM Advanced) are affected. This includes both standard and SIPLUS hardened variants. IPC DiagBase and IPC DiagMonitor diagnostic tools are also vulnerable with no patch available.

How it could be exploited

An attacker sends a specially crafted X.400 certificate or similar message to a PLC or controller over the network, triggering a type confusion flaw in OpenSSL's certificate handling code. The device crashes or becomes unstable, halting process control until manually recovered.

Prerequisites

Network access to the PLC or controller (typically Ethernet/Profinet)
The device must be configured to accept or process X.400-formatted certificates or network messages
No valid credentials required

Remotely exploitable over Ethernet/ProfinetNo authentication requiredLow attack complexityEPSS score 88.5% (very likely to be exploited)No fix available for multiple product variantsAffects safety-critical systems in manufacturing and transportation

Exploitability

High exploit probability (EPSS 88.5%)

Affected products (122)

101 with fix21 pending

ProductAffected VersionsFix Status

SIMATIC Drive Controller CPU 1504D TF< V2.9.72.9.7

SIMATIC Drive Controller CPU 1504D TF≥ V3.0.1, < V3.0.33.0.3

SIMATIC Drive Controller CPU 1507D TF< V2.9.72.9.7

SIMATIC Drive Controller CPU 1507D TF≥ V3.0.1, < V3.0.33.0.3

SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants)< V21.9.721.9.7

Remediation & Mitigation

0/12

Do now

0/1

WORKAROUNDReview and restrict inbound network access to SIMATIC controllers to only required services and trusted sources; disable X.400 certificate processing if not needed for your applications

Schedule — requires maintenance window

0/10

Patching may require device reboot — plan for process interruption

Long-term hardening

0/1

HARDENINGFor affected products with no fix available (IPC DiagBase, IPC DiagMonitor, and specific CPU variants marked 'All versions'), implement network segmentation to restrict access to these devices; only allow connections from trusted engineering workstations and control systems

CVEs (1)

CVE-2023-0286

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close