DNS "Name:Wreck" Vulnerabilities in Multiple Siemens Energy AGT and SGT solutions

Act Now9.8SSA-553445Aug 10, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

One of the DNS "Name:Wreck" vulnerabilities (buffer overflow, CWE-787) may affect Siemens Energy gas turbine control systems: SGT-100, SGT-200, SGT-300, and SGT-400 (industrial models with Allen Bradley control) and SGT-A20, SGT-A35, and SGT-A65 (aeroderivative models with FT125 control). The vulnerability exists in the DNS implementation of the underlying Rockwell Automation / Allen Bradley components. Remote attackers with network access could send malicious DNS responses to trigger code execution on the turbine controller. Fixes are available through Rockwell Automation security advisory PN1564 for the affected Allen Bradley components, but some updates may not be compatible with other integrated system components.

What this means

What could happen

An attacker on the network could send malicious DNS responses to these gas turbine control systems, potentially allowing them to execute arbitrary code on the PLCs controlling turbine operations, which could lead to process interruption, equipment damage, or safety hazards.

Who's at risk

Energy generation facilities operating Siemens SGT-100, SGT-200, SGT-300, SGT-400 (industrial gas turbines) and SGT-A20, SGT-A35, SGT-A65 (aeroderivative turbines) with Allen Bradley or FT125 control systems. This impacts power generation operators, combined-cycle plants, and oil/gas production facilities relying on these turbine models.

How it could be exploited

An attacker with network access to the control systems would intercept or poison DNS queries sent by the turbine controller (Allen Bradley or FT125). By responding with a crafted DNS reply, the attacker could redirect the controller to a malicious server, leading to arbitrary code execution on the PLC. This exploits a buffer overflow vulnerability (CWE-787) in the DNS implementation.

Prerequisites

Network access to the control system on the path between the turbine PLC and DNS resolvers
No authentication required to send DNS packets
Turbine controller must perform DNS lookups (typical for modern industrial control systems)

remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.8)affects safety-critical turbine operationsno patch available from Siemensbuffer overflow vulnerability

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (7)

7 pending

ProductAffected VersionsFix Status

SGT-100All versionsNo fix yet

SGT-200All versionsNo fix yet

SGT-300All versionsNo fix yet

SGT-400All versionsNo fix yet

SGT-A20All versionsNo fix yet

SGT-A35All versionsNo fix yet

SGT-A65All versionsNo fix yet

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDContact Siemens Energy technical support to confirm compatibility of Allen Bradley updates with integrated FT125 or Allen Bradley control systems before deployment

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXApply Rockwell Automation patches for Allen Bradley components per PN1564 security advisory

Long-term hardening

0/1

HARDENINGSegment gas turbine control networks from general corporate DNS and implement DNS query filtering at network boundary

CVEs (1)

CVE-2016-20009

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/bbcf22e6-058f-4997-a4da-6beac2f24b7a