Multiple Denial of Service Vulnerabilities in the Webserver of Industrial Products
Plan Patch7.5SSA-566905Apr 11, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Multiple denial of service vulnerabilities exist in the webserver component of Siemens SIMATIC communication processors and TIM modules due to improper error handling (CWE-416), improper thread synchronization (CWE-833), and uncontrolled resource consumption (CWE-770). An unauthorized attacker with network access to the webserver can send a specially crafted request to trigger a crash of the affected device. Impacted products include the CP 1242-7 V2, CP 1243 series, CP 1542SP/1543SP series, CP 443 series, and TIM 1531 IRC. All variants including SIPLUS industrial-grade and specialized versions (DNP3, IEC, LTE, IRC, ISEC) are affected. Siemens has released firmware updates for all affected products.
What this means
What could happen
An attacker with network access to the webserver could crash the communication processor, interrupting data exchange between your control system and remote sites or cloud connections until the device is rebooted.
Who's at risk
Manufacturing and transportation facilities using Siemens SIMATIC communication processors (CP 1242, CP 1243, CP 1542SP, CP 1543SP, CP 443, and TIM 1531 modules) for remote data exchange, telemetry, or cloud connectivity. Operators of water utilities, electric utilities, and industrial automation systems that rely on these processors for SCADA data transmission or fieldbus gateway functions.
How it could be exploited
An attacker sends a specially crafted network request to the webserver port (typically 80 or 443) of a vulnerable communication processor. The webserver crashes, rendering the device unable to transmit or receive data over its network interfaces.
Prerequisites
- Network access to the webserver port on the affected communication processor (port 80 or 443 by default)
- No authentication required to trigger the denial of service
remotely exploitableno authentication requiredlow complexityhigh CVSS score (7.5)affects connectivity of critical infrastructure systems
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (22)
22 with fix
ProductAffected VersionsFix Status
SIMATIC CP 1242-7 V2< V3.4.293.4.29
SIMATIC CP 1243-1< V3.4.293.4.29
SIMATIC CP 1243-1 DNP3 (incl. SIPLUS variants)< V3.4.293.4.29
SIMATIC CP 1243-1 IEC (incl. SIPLUS variants)< V3.4.293.4.29
SIMATIC CP 1243-7 LTE EU< V3.4.293.4.29
Remediation & Mitigation
0/10
Do now
0/1WORKAROUNDRestrict network access to the webserver ports (80, 443) of communication processors using firewall rules; allow only trusted management workstations and authorized remote sites
Schedule — requires maintenance window
0/8Patching may require device reboot — plan for process interruption
SIMATIC CP 1242-7 V2
HOTFIXUpdate SIMATIC CP 1242-7 V2 to firmware version 3.4.29 or later
SIMATIC CP 1243-1
HOTFIXUpdate SIMATIC CP 1243-1 (including all variants: DNP3, IEC, SIPLUS) to firmware version 3.4.29 or later
SIMATIC CP 1243-8 IRC
HOTFIXUpdate SIMATIC CP 1243-8 IRC to firmware version 3.4.29 or later
SIMATIC CP 1542SP-1
HOTFIXUpdate SIMATIC CP 1542SP-1 and variants (including SIPLUS ET 200SP) to firmware version 2.3 or later
SIMATIC CP 1543SP-1
HOTFIXUpdate SIMATIC CP 1543SP-1 (including SIPLUS variants) to firmware version 2.3 or later
SIMATIC CP 443-1
HOTFIXUpdate SIMATIC CP 443-1 and Advanced variants (including SIPLUS NET) to firmware version 3.3 or later
SIPLUS TIM 1531 IRC
HOTFIXUpdate TIM 1531 IRC and SIPLUS TIM 1531 IRC to firmware version 2.3.6 or later
All products
HOTFIXUpdate SIMATIC CP 1243-7 LTE (EU and US variants) to firmware version 3.4.29 or later
Long-term hardening
0/1HARDENINGDisable the webserver function on communication processors if web-based management is not required
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/696b6e23-bd4c-495a-9c03-699506a3f50f