OTPulse
FeedAboutContact

Vulnerability known as TCP SACK PANIC in Industrial Products

Act Now7.5SSA-462066Sep 10, 2019
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Multiple Siemens industrial products are vulnerable to TCP SACK PANIC, a kernel-level denial of service condition caused by improper handling of TCP packets with the SACK (Selective Acknowledgment) option. A remote attacker can trigger a memory or CPU exhaustion condition by sending specially crafted TCP SACK packets, causing the affected device to become unresponsive or crash. The vulnerability affects a wide range of communication processors, industrial routers, switches, gateways, and CPU modules across the SIMATIC and SCALANCE product families. Some products have been patched; however, 23 product variants including TIM series gateways, SCALANCE M875, SCALANCE WLC series, SCALANCE S602/612/623/627-2M, RUGGEDCOM APE1404, CP 343-1 Advanced, CP 443-1 OPC UA, CP 1623, SIMATIC Teleservice Adapters, and related variants have no patch available and will not receive fixes.

What this means
What could happen
An attacker can send specially crafted TCP packets to a vulnerable device, causing it to crash or stop responding. This could disrupt operation of networked industrial equipment like motors, drives, routers, and control systems until the device is restarted.
Who's at risk
Siemens industrial networking and communication devices widely used in manufacturing and transportation. Primary impact on SIMATIC communication processors (CP series), SCALANCE routers and switches, RUGGEDCOM hardened networking equipment, TIM gateways, SIMATIC drives and motors (MV series), RF readers, and S7-1500 CPUs with built-in Ethernet. Manufacturing plants relying on these devices for remote connectivity, process monitoring, and machine control.
How it could be exploited
An attacker on the network (or with network path to the device) sends malformed TCP SACK packets to the device. The vulnerable kernel processes these packets incorrectly, consuming memory or CPU until the system becomes unresponsive or crashes. No authentication or special configuration is required.
Prerequisites
  • Network access to the affected device on any TCP port
  • Device must be connected to a network (wired or wireless)
Remotely exploitable over the networkNo authentication requiredLow attack complexityHigh exploit probability (EPSS 74.6%)No patch available for 23 product variantsAffects safety-critical networking infrastructureWidespread deployment in OT environments
Exploitability
High exploit probability (EPSS 74.6%)
Affected products (109)
89 with fix20 pending
ProductAffected VersionsFix Status
TIM 1531 IRC< V2.12.1
TIM 3V-IE (incl. SIPLUS NET variants)All versionsNo fix yet
TIM 3V-IE Advanced (incl. SIPLUS NET variants)All versionsNo fix yet
TIM 3V-IE DNP3 (incl. SIPLUS NET variants)All versionsNo fix yet
TIM 4R-IE (incl. SIPLUS NET variants)All versionsNo fix yet
Remediation & Mitigation
0/6
Do now
0/2
SCALANCE M875
HARDENINGSegment vulnerable products with no patches available (TIM 3V/4R series, RUGGEDCOM APE1404, CP 343-1, CP 443-1 OPC UA, SCALANCE M875/WLC series, Teleservice Adapters) to isolated network zones with strict access controls
All products
WORKAROUNDRestrict network access to affected devices via firewall rules to limit exposure of vulnerable ports to trusted networks only
Schedule — requires maintenance window
0/4

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SIMATIC CP and related products to the specified fixed versions (3.2, 3.3, 2.1, 2.2, 1.5.18, 3.1.1.0 as applicable)
HOTFIXUpdate SCALANCE M and S series network equipment to version 6.2 or later
HOTFIXUpdate SCALANCE SC and W series products to their fixed versions (2.0.1, 2.0, 6.4, 8.6.0 as applicable)
HOTFIXUpdate SIMATIC S7-1500, SINUMERIK, SINEMA Remote Connect, and RF reader products to their fixed versions
View full Siemens ProductCERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/38e76e42-a3c4-4fd3-ba93-3623079b35b0