Embedded TCP/IP Stack Vulnerabilities (AMNESIA:33) in SIRIUS 3RW5 Modbus TCP and SENTRON PAC / 3VA Devices

Monitor6.5SSA-541017Dec 8, 2020

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

AMNESIA:33 vulnerability CVE-2020-13988: integer overflow in the embedded TCP/IP stack affects Siemens power monitoring (SENTRON 3VA, PAC series) and motor soft-starter communication modules (SIRIUS 3RW5 Modbus TCP). Malformed packets with large packet sizes can cause integer overflow in length calculation, leading to memory corruption. The result is typically denial of service—affected devices become unresponsive and must be power-cycled to recover. This impacts availability of monitoring and control communications for power distribution systems.

What this means

What could happen

An attacker on the same network segment as these power distribution and monitoring devices could send specially crafted packets to trigger integer overflow and cause the devices to stop responding, interrupting visibility into grid state and potentially affecting load management.

Who's at risk

Electric utilities and municipalities operating SENTRON power monitoring and metering systems (3VA, PAC2200, PAC3200, PAC3200T, PAC4200) and SIRIUS soft starters with Modbus TCP modules should prioritize patching. These devices measure energy consumption, monitor grid parameters, and control motor starts—if they become unresponsive, operators lose real-time visibility into substation health and cannot respond to load changes or faults.

How it could be exploited

An attacker with network access to the Modbus TCP or embedded Ethernet port of affected devices sends malformed TCP/IP packets that trigger integer overflow in the embedded stack. This causes the device to crash or enter an unresponsive state, severing communications with control systems.

Prerequisites

Network access to Modbus TCP port (typically 502) or the device's Ethernet management interface
No authentication required
Attacker and device must be on the same network segment (AV:A indicates adjacent-network requirement)

remotely exploitableno authentication requiredlow complexityaffects critical monitoring infrastructureinteger overflow in widely-used embedded TCP/IP stack

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (7)

7 with fix

ProductAffected VersionsFix Status

SENTRON 3VA COM100/800< V4.24.2

SENTRON 3VA DSP800< V2.02.0

SENTRON PAC2200 (without MID Approval)< V3.0.53.0.5

SENTRON PAC3200< V2.4.52.4.5

SENTRON PAC3200T< V3.0.53.0.5

SENTRON PAC4200< V2.0.12.0.1

SIRIUS 3RW5 communication module Modbus TCP< V1.1.11.1.1

Remediation & Mitigation

0/9

Do now

0/1

WORKAROUNDRestrict network access to Modbus TCP ports (502) and device management interfaces using firewall rules; limit to authorized engineering networks only

Schedule — requires maintenance window

0/7

Patching may require device reboot — plan for process interruption

SENTRON 3VA COM100/800

HOTFIXUpdate SENTRON 3VA COM100/800 to version 4.2 or later

SENTRON 3VA DSP800

HOTFIXUpdate SENTRON 3VA DSP800 to version 2.0 or later

SENTRON PAC3200

HOTFIXUpdate SENTRON PAC3200 to version 2.4.5 or later

HOTFIXUpdate SENTRON PAC3200T to version 3.0.5 or later

SENTRON PAC4200

HOTFIXUpdate SENTRON PAC4200 to version 2.0.1 or later

All products

HOTFIXUpdate SENTRON PAC2200 (non-MID) to version 3.0.5 or later

HOTFIXUpdate SIRIUS 3RW5 Modbus TCP communication module to version 1.1.1 or later

Long-term hardening

0/1

HARDENINGSegregate power monitoring and motor control devices onto a dedicated management network isolated from general IT infrastructure

CVEs (1)

CVE-2020-13988

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c60f533d-e0d7-4141-9541-474ad078f940