Libcurl Vulnerabilities in Industrial Devices

Plan Patch8.1SSA-732250May 10, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Vulnerabilities in the third-party libcurl component embedded in Siemens industrial networking and remote access products could allow an attacker to interfere with affected devices through improper memory handling (CWE-416, CWE-706). The vulnerability exists in communication and gateway devices across multiple product lines including SIMATIC CP modules, SIMATIC RTU units, SCALANCE routers, and SINEMA Remote Connect Client. Affected products are devices that perform network communications and may handle untrusted network data.

What this means

What could happen

An attacker with network access could send malicious data to exploit libcurl flaws, potentially achieving remote code execution on industrial communication gateways and remote access clients. This could allow an attacker to read process data, modify control commands, or disrupt communication between industrial devices and control systems.

Who's at risk

Manufacturing facilities and transportation systems using Siemens industrial communication infrastructure should prioritize this update. Specifically: facility managers operating SIMATIC S7-1200 and S7-1500 systems with CP 1242/1243/1543/1545 communication modules; pipeline and water utilities using SIMATIC RTU telemetry units; utilities and industrial sites deploying SCALANCE industrial routers and gateways for remote access; and organizations using SINEMA Remote Connect Client for remote engineering or diagnostic access to industrial networks.

How it could be exploited

An attacker sends a crafted network packet to the affected device's communication port. The vulnerable libcurl library processes the malicious input without proper bounds checking or memory validation, triggering a use-after-free or out-of-bounds memory condition. The attacker gains the ability to execute arbitrary code with the privileges of the affected service, which typically runs with system or process-control permissions.

Prerequisites

Network access to the affected device's communication port (typically HTTP/HTTPS or device-specific protocols)
Device must be configured to accept network connections (default for most CP and SCALANCE models)
No authentication required for exploitation of the libcurl parsing stage

Remotely exploitable over networkHigh CVSS score (8.1)Affects industrial communication gateways critical to plant operationDefault configurations expose the vulnerabilityNo patch available for LOGO! CMR productsMemory safety vulnerability allows code execution

Exploitability

Low exploit probability (EPSS 0.8%)

Affected products (34)

33 with fix1 pending

ProductAffected VersionsFix Status

SIMATIC CP 1242-7 V2< V3.3.463.3.46

SIMATIC CP 1243-1< V3.3.463.3.46

SIMATIC CP 1243-7 LTE EU< V3.3.463.3.46

SIMATIC CP 1243-7 LTE US< V3.3.463.3.46

SIMATIC CP 1243-8 IRC< V3.3.463.3.46

Remediation & Mitigation

0/15

Do now

0/3

LOGO! CMR family

HARDENINGFor LOGO! CMR family (all versions): Implement network segmentation to restrict unauthorized access to the device; isolate LOGO! devices on a dedicated VLAN with firewall rules limiting inbound connections to only authorized engineering workstations and control systems

All products

HARDENINGImplement firewall rules to restrict inbound network traffic to CP modules, SCALANCE routers, and RTU devices to only authorized subnets and required communication ports; deny or rate-limit unexpected protocol headers

WORKAROUNDDisable unnecessary services and network protocols on affected devices if not required for operations

Schedule — requires maintenance window

0/12

Patching may require device reboot — plan for process interruption

CVEs (2)

CVE-2021-22901 CVE-2021-22924

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close