Multiple Vulnerabilities in Third-Party Components in SIMATIC CP 1542SP-1 and CP 1543SP-1 before V2.3
Act Now9.8SSA-625862Jun 11, 2024
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
SIMATIC CP 1542SP-1 and CP 1543SP-1 communication processors contain multiple vulnerabilities in third-party components and the integrated web server that allow remote code execution without authentication. An attacker can execute arbitrary commands on the processor by sending crafted network requests, potentially compromising network integrity and plant control systems that depend on the communication module.
What this means
What could happen
An attacker on the network could run arbitrary code on the SIMATIC CP communication processor, allowing them to manipulate network traffic, modify PLC commands, or disrupt plant connectivity. This could affect any device or process that depends on the communication module.
Who's at risk
Transportation operators, rail systems, and any facility using SIMATIC CP 1542SP-1 or CP 1543SP-1 communication processors (including SIPLUS variants). Any industrial automation system relying on these communication modules for PLC networking is at risk.
How it could be exploited
An attacker without credentials can send a crafted network request to the communication processor's web server or network interface. The processor executes code from the request, giving the attacker control of the device. Because authentication is not required and the module is network-facing, the attacker can reach it from the plant network or potentially from outside if the network is not properly segmented.
Prerequisites
- Network access to the SIMATIC CP communication processor on TCP/IP ports used by the web server or integrated services
remotely exploitableno authentication requiredlow complexityhigh EPSS score (88.5%)affects network communication critical to plant operations
Exploitability
High exploit probability (EPSS 88.5%)
Affected products (6)
6 with fix
ProductAffected VersionsFix Status
SIMATIC CP 1542SP-1<V2.32.3
SIMATIC CP 1542SP-1 IRC<V2.32.3
SIMATIC CP 1543SP-1<V2.32.3
SIPLUS ET 200SP CP 1542SP-1 IRC TX RAIL<V2.32.3
SIPLUS ET 200SP CP 1543SP-1 ISEC<V2.32.3
SIPLUS ET 200SP CP 1543SP-1 ISEC TX RAIL<V2.32.3
Remediation & Mitigation
0/1
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
SIMATIC CP 1542SP-1
HOTFIXUpdate SIMATIC CP 1542SP-1, CP 1542SP-1 IRC, CP 1543SP-1, SIPLUS ET 200SP CP 1542SP-1 IRC TX RAIL, SIPLUS ET 200SP CP 1543SP-1 ISEC, and SIPLUS ET 200SP CP 1543SP-1 ISEC TX RAIL to firmware version 2.3 or later
CVEs (23)
CVE-2022-2097CVE-2022-3435CVE-2022-3545CVE-2022-3623CVE-2022-3643CVE-2022-4304CVE-2022-4450CVE-2022-40303CVE-2022-40304CVE-2022-42328CVE-2022-42329CVE-2022-44792CVE-2022-44793CVE-2023-0215CVE-2023-0286CVE-2023-0464CVE-2023-0465CVE-2023-0466CVE-2023-28484CVE-2023-29469CVE-2023-38380CVE-2023-41910CVE-2023-50763
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/b87d8024-dce9-497c-842e-7c797300641d