Multiple NULL Pointer Dereference Vulnerabilities in Industrial Products

Monitor5.9SSA-423808Sep 10, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Multiple NULL pointer dereference vulnerabilities in SIMATIC communication processors (CP 1242-7, CP 1243 series, CP 1243-8 IRC, TIM 1531 IRC), HMI Comfort Panels, WinCC Runtime Advanced, and IPC diagnostic software allow network-based denial of service attacks. An attacker sending a specially crafted request to the webserver can cause it to crash, making the device unresponsive to web-based monitoring and engineering access. CWE-476: NULL Pointer Dereference.

What this means

What could happen

An attacker can crash the webserver on affected Siemens industrial network devices, causing them to stop responding and disrupting remote monitoring and control of your process.

Who's at risk

Manufacturing facilities using Siemens automation equipment should care about this. Specifically: operators and engineers relying on SIMATIC CP communication processors for remote access, monitoring stations using HMI Comfort Panels, and facilities running WinCC SCADA software. The vulnerability affects the webserver component used for remote engineering access and diagnostics on these devices.

How it could be exploited

An attacker sends a specially crafted network request to the webserver port on the communication processor (CP) or HMI device. The webserver does not properly validate the request, causing a NULL pointer dereference that crashes the webserver process. The device stops responding to web-based monitoring and engineering connections.

Prerequisites

Network access to the webserver port (typically 80/443) on the affected device
Device must be reachable from the attacker's network location
No credentials required

remotely exploitableno authentication requiredlow complexityaffects remote access and monitoring capabilities

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (12)

8 with fix4 EOL

ProductAffected VersionsFix Status

SIMATIC CP 1242-7 V2 (incl. SIPLUS variants)< V3.5.203.5.20

SIMATIC CP 1243-1 (incl. SIPLUS variants)< V3.5.203.5.20

SIMATIC CP 1243-1 DNP3 (incl. SIPLUS variants)< V3.5.203.5.20

SIMATIC CP 1243-1 IEC (incl. SIPLUS variants)< V3.5.203.5.20

SIMATIC CP 1243-7 LTE< V3.5.203.5.20

SIMATIC CP 1243-8 IRC< V3.5.203.5.20

SIPLUS TIM 1531 IRC< V2.4.82.4.8

TIM 1531 IRC< V2.4.82.4.8

Remediation & Mitigation

0/8

Do now

0/2

WORKAROUNDRestrict network access to webserver ports on SIMATIC HMI Comfort Panels, IPC DiagBase, IPC DiagMonitor, and WinCC Runtime Advanced using firewall rules or network segmentation

WORKAROUNDDisable web interface access on affected HMI and IPC devices if not required for operations

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

SIMATIC CP 1243-7 LTE

HOTFIXUpdate SIMATIC CP 1243-7 LTE to firmware version 3.5.20 or later

SIMATIC CP 1243-8 IRC

HOTFIXUpdate SIMATIC CP 1243-8 IRC to firmware version 3.5.20 or later

SIPLUS TIM 1531 IRC

HOTFIXUpdate SIMATIC TIM 1531 IRC or SIPLUS TIM 1531 IRC to firmware version 2.4.8 or later

All products

HOTFIXUpdate SIMATIC CP 1242-7 V2 to firmware version 3.5.20 or later

HOTFIXUpdate SIMATIC CP 1243-1 (all variants) to firmware version 3.5.20 or later

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: SIMATIC HMI Comfort Panels (incl. SIPLUS variants), SIMATIC IPC DiagBase, SIMATIC IPC DiagMonitor, SIMATIC WinCC Runtime Advanced. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate affected devices from untrusted networks and limit access to authorized engineering and monitoring stations only

CVEs (3)

CVE-2023-28827 CVE-2023-30755 CVE-2023-30756

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/90c507fb-d2f2-4ffe-9466-0ed0ad38b3e3