OTPulse
FeedAboutContact

Denial of Service in OPC-UA in Industrial Products

Monitor6.5SSA-285795May 10, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

A vulnerability in the OPC UA ANSIC Stack (Legacy C-Stack) third-party component affects Siemens industrial products used in manufacturing. The vulnerability is a null pointer dereference (CWE-476) that causes the OPC-UA component to crash when processing malformed messages. Affected products include SIMATIC HMI panels, KTP mobile panels, SIMATIC NET PC Software (versions 14–17), SITOP Manager, and TeleControl Server Basic. Siemens has released updates for some products; however, SIMATIC HMI Comfort Panels, Comfort Outdoor Panels, and KTP Mobile Panels running versions below V17 Update 5 have no vendor fix available and must be updated through a complete WinCC (TIA Portal) project upgrade.

What this means
What could happen
An attacker could crash OPC-UA components in Siemens industrial automation equipment, causing temporary loss of communication between engineering workstations, HMI panels, and process control systems. This would interrupt monitoring and remote operations until the service restarts.
Who's at risk
Manufacturing facilities using Siemens automation equipment should be concerned. This affects HMI panels (touchscreen interfaces used by operators), engineering workstations running TeleControl Server or SIMATIC NET PC Software (used to configure and monitor PLCs and remote devices), and power supply management systems (SITOP Manager). Any site using OPC-UA for SCADA communication or remote operations is at risk.
How it could be exploited
An attacker with network access to the OPC-UA port (typically port 4840) sends a malformed OPC-UA message. The vulnerable Legacy C-Stack component fails to validate the input, crashes, and stops responding. No valid credentials are required. The attacker does not need user interaction if they can send traffic directly to the OPC-UA service.
Prerequisites
  • Network access to OPC-UA port (default port 4840)
  • OPC-UA service must be enabled and exposed to the network
  • No authentication required
remotely exploitableno authentication requiredlow complexityaffects industrial automation communicationno patch available for some products
Exploitability
Low exploit probability (EPSS 0.5%)
Affected products (9)
5 with fix4 EOL
ProductAffected VersionsFix Status
SIMATIC NET PC Software V14All versions < V14 SP1 Update 1414 SP1 Update 14
SIMATIC NET PC Software V16All versions < V16 Update 616 Update 6
SIMATIC NET PC Software V17All versions < V17 SP 117 SP1
SIMATIC HMI Comfort Panels (incl. SIPLUS variants)All versions < V17 Update 5No fix (EOL)
SIMATIC HMI KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900 and KTP900FAll versions < V17 Update 5No fix (EOL)
SIMATIC NET PC Software V15All versionsNo fix (EOL)
SITOP Manager<V1.2.41.2.4
TeleControl Server Basic V3<V3.1.13.1.1
Remediation & Mitigation
0/10
Do now
0/1
WORKAROUNDRestrict network access to OPC-UA ports (default 4840) using firewall rules. Allow only engineering workstations and trusted systems that require OPC-UA communication
Schedule — requires maintenance window
0/8

Patching may require device reboot — plan for process interruption

SIMATIC NET PC Software V14
HOTFIXUpdate SIMATIC NET PC Software V14 to SP1 Update 14 or later
SIMATIC NET PC Software V16
HOTFIXUpdate SIMATIC NET PC Software V16 to Update 6 or later
SIMATIC NET PC Software V17
HOTFIXUpdate SIMATIC NET PC Software V17 to SP1 or later
SITOP Manager
HOTFIXUpdate SITOP Manager to version 1.2.4 or later
All products
HOTFIXUpdate SIMATIC HMI Comfort Panels to V17 Update 5 or newer using WinCC (TIA Portal)
HOTFIXUpdate SIMATIC HMI Comfort Outdoor Panels to V17 Update 5 or newer using WinCC (TIA Portal)
HOTFIXUpdate SIMATIC HMI KTP Mobile Panels to V17 Update 5 or newer using WinCC (TIA Portal)
HOTFIXUpdate TeleControl Server Basic to version 3.1.1 or later
Mitigations - no patch available
0/1
The following products have reached End of Life with no planned fix: SIMATIC HMI Comfort Panels (incl. SIPLUS variants), SIMATIC HMI KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900 and KTP900F, SIMATIC NET PC Software V15, SIMATIC HMI Comfort Outdoor Panels (incl. SIPLUS variants). Apply the following compensating controls:
HARDENINGSegment OPC-UA services onto a separate network or VLAN from untrusted networks. Implement network access controls between engineering workstations and plant floor systems
View full Siemens ProductCERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/14536b8b-61b6-4499-83c3-7de69c024aeb