SAD DNS Attack in Linux Based Products
Plan Patch7.4SSA-324955May 11, 2021
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
SAD DNS vulnerability affects Domain Name System resolvers in Linux-based Siemens products due to a vulnerability in the Linux kernel when handling ICMP packets. This impacts DNS resolution reliability and security in affected products.
What this means
What could happen
An attacker could poison DNS resolution on affected devices, causing them to resolve domain names to incorrect IP addresses. This could redirect network traffic for critical operations like remote management, firmware updates, or inter-device communication to attacker-controlled servers.
Who's at risk
Organizations operating Siemens industrial networking and communication modules should prioritize this patch. Affected equipment includes RUGGEDCOM and SCALANCE industrial switches and routers, SIMATIC communication processors (CP series) used in PLC networks, SIMATIC mobile drives (MV series), and SINEMA remote access infrastructure. Impact is highest for utilities and transportation that rely on these devices for DNP3, OPC UA, or remote management connections.
How it could be exploited
An attacker on the same network segment or with network access to the affected device sends maliciously crafted ICMP packets targeting the Linux kernel's DNS resolver. These packets exploit the SAD DNS vulnerability to cause the resolver to accept spoofed DNS responses, allowing the attacker to redirect connections to arbitrary IP addresses.
Prerequisites
- Network access to the affected device
- Ability to send ICMP packets to the device
- Device must perform DNS lookups (most do for NTP, firmware updates, or remote management)
Remotely exploitableLow complexityNo authentication requiredAffects multiple industrial communication modules and gateways
Exploitability
Moderate exploit probability (EPSS 1.1%)
Affected products (32)
32 with fix
ProductAffected VersionsFix Status
RUGGEDCOM RM1224 family (6GK6108-4AM00)≥ V5.0 and < V6.46.4
SCALANCE M-800 family≥ V5.0 and < V6.46.4
SCALANCE S615≥ V5.0 and < V6.46.4
SCALANCE SC-600 family< V2.1.32.1.3
SCALANCE W1750DV8.3.0.1, V8.6.0 and V8.7.08.7.1.3
Remediation & Mitigation
0/21
Schedule — requires maintenance window
0/19Patching may require device reboot — plan for process interruption
SCALANCE S615
HOTFIXUpdate RUGGEDCOM RM1224, SCALANCE M-800, and SCALANCE S615 to firmware version 6.4 or later
SCALANCE SC-600 family
HOTFIXUpdate SCALANCE SC-600 family to version 2.1.3 or later
SCALANCE W1750D
HOTFIXUpdate SCALANCE W1750D to version 8.7.1.3 or later
SIMATIC CP 1242-7 V2
HOTFIXUpdate SIMATIC CP 1242-7 V2 to version 3.3 or later
SIMATIC CP 1243-1
HOTFIXUpdate SIMATIC CP 1243-1 to version 3.3.46 or later
SIMATIC CP 1243-7 LTE EU
HOTFIXUpdate SIMATIC CP 1243-7 LTE EU to version 3.3 or later
SIMATIC CP 1243-7 LTE US
HOTFIXUpdate SIMATIC CP 1243-7 LTE US to version 3.3 or later
SIMATIC CP 1243-8 IRC
HOTFIXUpdate SIMATIC CP 1243-8 IRC to version 3.3.46 or later
SIMATIC CP 1542SP-1
HOTFIXUpdate SIMATIC CP 1542SP-1 and SIMATIC CP 1542SP-1 IRC to version 2.2.28 or later
SIMATIC CP 1543SP-1
HOTFIXUpdate SIMATIC CP 1543SP-1 to version 2.2.28 or later
SIMATIC CP 1545-1
HOTFIXUpdate SIMATIC CP 1545-1 to version 1.1 or later
SINEMA Remote Connect Server
HOTFIXUpdate SINEMA Remote Connect Server to version 3.0 SP1 or later
SIPLUS ET 200SP CP 1542SP-1 IRC TX RAIL
HOTFIXUpdate SIPLUS ET 200SP CP 1542SP-1 IRC TX RAIL, SIPLUS ET 200SP CP 1543SP-1 ISEC, and SIPLUS ET 200SP CP 1543SP-1 ISEC TX RAIL to version 2.2.28 or later
SIPLUS NET CP 1242-7 V2
HOTFIXUpdate SIPLUS NET CP 1242-7 V2 to version 3.3 or later
SIPLUS S7-1200 CP 1243-1
HOTFIXUpdate SIPLUS S7-1200 CP 1243-1 and SIPLUS S7-1200 CP 1243-1 RAIL to version 3.3.46 or later
SIPLUS TIM 1531 IRC
HOTFIXUpdate SIPLUS TIM 1531 IRC and TIM 1531 IRC to version 2.2 Update 1 or later
All products
HOTFIXUpdate SIMATIC Cloud Connect 7 CC712 and CC716 to version 1.6 or later
HOTFIXUpdate SIMATIC CP 1543-1 (including SIPLUS variants) to version 3.0 or later
HOTFIXUpdate SIMATIC MV540 H, MV540 S, MV550 H, MV550 S, MV560 U, and MV560 X to version 3.1 or later
Long-term hardening
0/2HARDENINGImplement network segmentation to restrict ICMP traffic to affected devices from untrusted network segments
HARDENINGMonitor DNS resolution on affected devices for anomalous responses or redirects to unexpected IP addresses
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/dcecfae5-8ccf-4b48-982d-ecbcd6277c7b