TCP Sequence Number Validation Vulnerability in the TCP/IP Stack of CP343-1 Devices

Monitor7.5SSA-516818Feb 13, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The TCP/IP stack in Siemens SIMATIC CP 343-1 and SIPLUS NET CP 343-1 devices (standard and Lean versions) does not correctly validate TCP sequence numbers. An unauthenticated remote attacker can inject spoofed TCP RST (reset) packets to force the device to terminate active TCP connections, causing a denial of service. Siemens has not released a firmware patch and does not plan to patch these products. The vendor recommends protecting network access with firewalls and following industrial security guidelines.

What this means

What could happen

An attacker could send forged network packets to disrupt communication with your CP 343-1 module, causing loss of connection to remote I/O devices and interrupting plant operations.

Who's at risk

Water and electric utilities operating Siemens SIMATIC CP 343-1 modules as remote I/O interfaces. These modules connect industrial PLCs to field devices and remote facilities; disruption could impact water distribution, electrical switching, and SCADA communications at any facility using this hardware.

How it could be exploited

An attacker on the network sends spoofed TCP RST (reset) packets with forged sequence numbers to the CP 343-1. Because the device does not properly validate sequence numbers, it accepts the forged reset and closes the TCP connection, severing communication to whatever equipment the module controls.

Prerequisites

Network access to the CP 343-1 device on the same network or routable network segment
No credentials required
Ability to send raw TCP packets or access to a tool that can craft spoofed packets

remotely exploitableno authentication requiredlow complexityno patch availableaffects network communication for critical plant operations

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (4)

4 EOL

ProductAffected VersionsFix Status

SIMATIC CP 343-1All versionsNo fix (EOL)

SIPLUS NET CP 343-1All versionsNo fix (EOL)

SIMATIC CP 343-1 LeanAll versionsNo fix (EOL)

SIPLUS NET CP 343-1 LeanAll versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGImplement network segmentation using industrial firewalls to restrict access to the CP 343-1 module to only the devices and workstations that need to reach it

WORKAROUNDDisable or restrict access to network ports used by the CP 343-1 if not actively in use

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: SIMATIC CP 343-1, SIPLUS NET CP 343-1, SIMATIC CP 343-1 Lean, SIPLUS NET CP 343-1 Lean. Apply the following compensating controls:

HARDENINGDeploy network monitoring to detect anomalous TCP traffic patterns or repeated connection resets

HARDENINGReview Siemens operational guidelines for Industrial Security and apply recommended network protection practices

CVEs (1)

CVE-2023-51440

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f3a238f3-74b1-4472-b352-6c68158c9040