Denial of Service Vulnerability in OpenSSL (CVE-2022-0778) Affecting Industrial Products

Plan Patch7.5SSA-712929Jun 14, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

OpenSSL contains a vulnerability (CVE-2022-0778) in elliptic curve certificate processing that triggers an infinite loop in the X509_PUBKEY_set0_param() function. A remote attacker can send a specially crafted elliptic curve certificate via TLS to cause a denial of service. The vulnerability affects a large number of Siemens industrial products including SCALANCE switches and routers, SIMATIC PLCs (S7-1200, S7-1500 series), communication processors, HMI and engineering software (WinCC, STEP 7, TIA Portal), and remote access controllers (RUGGEDCOM, SINEMA). Many products, particularly older SCALANCE models (XF, X200-series), SIMATIC software versions (STEP 7 V15/V16, WinCC V15/V16, PCS 7 V8.2/V9.0), and legacy communication processors have no available fix.

What this means

What could happen

An attacker on the network can crash or stop critical control devices by sending specially crafted certificates through SSL/TLS connections, disrupting manufacturing lines, power distribution, or water treatment operations.

Who's at risk

Manufacturing plants, utilities, and transportation operators using Siemens SCALANCE industrial switches, SIMATIC programmable logic controllers (S7-1200, S7-1500 series), communication processors (CP 1243, CP 1543, CP 443), HMI software (WinCC), engineering tools (TIA Portal, STEP 7), remote access equipment (RUGGEDCOM ROX, SINEMA Remote Connect), and OPC UA servers. Any device running vulnerable OpenSSL and accepting TLS connections is at risk.

How it could be exploited

An attacker sends a malicious elliptic curve certificate to a vulnerable device during TLS negotiation. The device's OpenSSL library processes the certificate and enters an infinite loop, consuming CPU and becoming unresponsive. If the device is a PLC, gateway, or remote access server, operations halt.

Prerequisites

Network access to the device's SSL/TLS port (443, 8080, or OPC UA port 4840)
Device must accept inbound TLS connections
Device must be running a vulnerable OpenSSL version

Remotely exploitable via networkNo authentication required to trigger the denial of serviceLow attack complexityHigh EPSS score (8.3%)Many devices have no fix available (end-of-life products)Affects critical control systems and engineering workstationsCan disrupt physical operations by crashing PLCs and gateways

Exploitability

Moderate exploit probability (EPSS 8.3%)

Affected products (479)

381 with fix98 pending

ProductAffected VersionsFix Status

SCALANCE XF204-2All versionsNo fix yet

SCALANCE XF204-2BA< 4.44.4

SCALANCE XF204-2BA DNA< 4.44.4

SCALANCE XF204-2BA IRT< 5.5.25.5.2

SCALANCE XF204IRT< 5.5.25.5.2

Remediation & Mitigation

0/14

Do now

0/1

WORKAROUNDRestrict network access to SSL/TLS ports on affected devices using firewall rules; allow only trusted engineering workstations and remote access points

Schedule — requires maintenance window

0/10

Patching may require device reboot — plan for process interruption

Long-term hardening

0/3

HARDENINGDisable TLS/SSL connectivity on non-critical ports if not required for operations

HARDENINGImplement network segmentation to isolate control devices from untrusted networks

HARDENINGMonitor SSL/TLS connection attempts and alert on certificate errors or connection timeouts

CVEs (1)

CVE-2022-0778

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close