Siemens SIMATIC NET CP, SINEMA and SCALANCE Products Affected by Vulnerabilities in Third-Party Component strongSwan
Plan Patch7.5SSA-539476Feb 8, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Vulnerabilities in the third-party component strongSwan in Siemens SIMATIC NET CP, SINEMA, and SCALANCE products could allow an attacker to cause a denial of service (DoS) condition by exploiting integer overflow bugs in the VPN library. The vulnerability affects communication processors (CP), wireless gateways, and remote management platforms that use strongSwan for VPN/IPsec functionality.
What this means
What could happen
An attacker can remotely crash or disable VPN connectivity on affected Siemens communication processors and gateways, potentially disrupting remote access to plant networks, causing loss of remote monitoring and engineering access, or interrupting inter-site communications that depend on IPsec tunnels.
Who's at risk
Manufacturing and transportation operators using Siemens SIMATIC CP communication processors for remote plant access or inter-site VPN connections, facilities with SCALANCE wireless gateways or routers (MUM, M800/M876 series) handling site-to-site links, and operators running SINEMA Remote Connect Server for centralized remote access management. This includes any site where VPN availability is critical to operations monitoring or emergency response.
How it could be exploited
An attacker on the network reachable by the affected device sends specially crafted IPsec packets that trigger an integer overflow in strongSwan's VPN processing library. The overflow causes the communication processor or gateway to crash, resulting in denial of service. No authentication or credentials are required.
Prerequisites
- Network access to the device on a port where IPsec/VPN traffic is accepted (typically UDP 500 or 4500)
- The affected device must be actively listening for IPsec connections from the attacker's network segment
remotely exploitableno authentication requiredlow complexityaffects remote access and inter-site communicationshigh availability impact (DoS)
Exploitability
Moderate exploit probability (EPSS 2.5%)
Affected products (41)
41 with fix
ProductAffected VersionsFix Status
SCALANCE SC632-2C< V2.32.3
SCALANCE SC636-2C< V2.32.3
SCALANCE SC642-2C< V2.32.3
SCALANCE SC646-2C< V2.32.3
SIMATIC CP 1242-7 V2< V3.3.463.3.46
Remediation & Mitigation
0/9
Do now
0/1WORKAROUNDImplement firewall rules to restrict IPsec traffic (UDP 500, 4500) to only authorized VPN peers until patches can be applied
Schedule — requires maintenance window
0/7Patching may require device reboot — plan for process interruption
SCALANCE S615
HOTFIXUpdate SCALANCE MUM853-1, MUM856-1, SCALANCE S615, M804PB, M812/M816/M826/M874/M876 series to version 7.1 or later
SIMATIC CP 1543SP-1
HOTFIXUpdate SIMATIC CP 1542SP series, SIMATIC CP 1543SP-1, and SIPLUS ET 200SP CP models to version 2.2.28 or later
SIMATIC CP 1242-7 V2
HOTFIXUpdate SIMATIC CP 1242-7 V2, SIMATIC CP 1243 series, SIPLUS NET CP 1242-7 V2, and SIPLUS S7-1200 CP 1243 series to version 3.3.46 or later
SIMATIC CP 1543-1
HOTFIXUpdate SIMATIC CP 1543-1 and SIPLUS NET CP 1543-1 to version 3.0.22 or later
SIMATIC CP 1545-1
HOTFIXUpdate SIMATIC CP 1545-1 to version 1.1 or later
SINEMA Remote Connect Server
HOTFIXUpdate SINEMA Remote Connect Server to version 3.1 or later
All products
HOTFIXUpdate SCALANCE SC622/SC632/SC636/SC642/SC646 series to version 2.3 or later
Long-term hardening
0/1HARDENINGIsolate affected devices from untrusted networks and restrict inbound IPsec connections to known, trusted VPN endpoints only
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/6217ca10-10f1-4423-bb59-8bed611f1305