Ripple20 in SIMATIC RTLS Gateways
Act Now7.5SSA-647068Feb 13, 2024
Attack VectorAdjacent
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
SIMATIC RTLS Gateways (RTLS4030G and RTLS4430G models) are affected by Ripple20 vulnerabilities in the TCP/IP stack. These are implementation flaws in the embedded TCP/IP library that could allow remote attackers to cause denial of service or potentially execute code through network communications.
What this means
What could happen
An attacker who can reach these gateways over the network could cause them to crash or malfunction, disrupting real-time location tracking operations across your facility. In worst case, they could potentially run code on the device to intercept or redirect location data.
Who's at risk
Manufacturing and logistics operations that rely on SIMATIC RTLS (Real-Time Location System) gateways for asset tracking and material flow. Specifically affects any facility using RTLS4030G or RTLS4430G models in any regional variant (CMIIT, ETSI, FCC, ISED). This includes automotive plants, smart warehouses, and discrete manufacturing facilities where real-time location tracking is critical to operations.
How it could be exploited
An attacker on the same network segment as the gateway (or routed to it) could send specially crafted TCP/IP packets to trigger the TCP/IP stack vulnerability. No authentication is required. The attack could cause a denial of service by crashing the gateway, or potentially lead to code execution depending on the specific Ripple20 flaw exploited.
Prerequisites
- Network layer access to the gateway (same subnet or routed IP connectivity)
- No credentials required
- Gateway must be reachable via IP network
Remotely exploitableNo authentication requiredLow complexity attackHigh EPSS score (38.2%)No patch availableRipple20 TCP/IP stack vulnerability
Exploitability
High exploit probability (EPSS 38.2%)
Affected products (5)
5 EOL
ProductAffected VersionsFix Status
SIMATIC RTLS Gateway RTLS4030G, FCC (6GT2701-5DB13)All versionsNo fix (EOL)
SIMATIC RTLS Gateway RTLS4030G, ISED (6GT2701-5DB33)All versionsNo fix (EOL)
SIMATIC RTLS Gateway RTLS4430G, Chirp, ETSI, FCC, ISED, IP65 (6GT2701-5CB03)All versionsNo fix (EOL)
SIMATIC RTLS Gateway RTLS4030G, CMIIT (6GT2701-5DB23)All versionsNo fix (EOL)
SIMATIC RTLS Gateway RTLS4030G, ETSI (6GT2701-5DB03)All versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2HARDENINGIsolate RTLS gateways on a separate network segment or VLAN with firewall rules limiting access to only authorized location tracking clients and management workstations
WORKAROUNDDisable any gateway features or services not required for location tracking operations
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HARDENINGMonitor network traffic to and from gateways for abnormal packet patterns or repeated connection attempts
HOTFIXMaintain regular contact with Siemens for patch notification once fixes become available
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: SIMATIC RTLS Gateway RTLS4030G, FCC (6GT2701-5DB13), SIMATIC RTLS Gateway RTLS4030G, ISED (6GT2701-5DB33), SIMATIC RTLS Gateway RTLS4430G, Chirp, ETSI, FCC, ISED, IP65 (6GT2701-5CB03), SIMATIC RTLS Gateway RTLS4030G, CMIIT (6GT2701-5DB23), SIMATIC RTLS Gateway RTLS4030G, ETSI (6GT2701-5DB03). Apply the following compensating controls:
HARDENINGApply Siemens operational guidelines for Industrial Security and follow product manual security recommendations
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/80511f9e-7825-4b7a-aa18-380152dc7832