Vulnerabilities in Third-Party Component Mbed TLS of LOGO! CMR Family and SIMATIC RTU 3000 Family

Plan Patch7.5SSA-756638Sep 14, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Siemens LOGO! CMR and SIMATIC RTU 3000 family devices contain vulnerabilities in the Mbed TLS third-party component. These vulnerabilities stem from improper buffer length checking (CWE-131) and inadequate certificate validation (CWE-295). An attacker with network access to an affected device can trigger a denial-of-service condition or bypass certificate validation to establish encrypted connections with invalid certificates. This allows potential interception or manipulation of encrypted communications and disruption of device availability.

What this means

What could happen

An attacker with network access to these devices could cause a denial-of-service condition or establish encrypted connections using invalid certificates, potentially allowing man-in-the-middle attacks or disruptive protocol manipulation.

Who's at risk

Operators of Siemens LOGO! CMR2020 and CMR2040 logic modules and SIMATIC RTU3010C, RTU3030C, RTU3031C, and RTU3041C remote terminal units used in utility automation and process control environments should update immediately. These devices are commonly deployed in water and electric utilities for remote monitoring and control.

How it could be exploited

An attacker on the network sends crafted TLS handshake packets or malformed certificate data to the device's network interface. Due to the Mbed TLS vulnerabilities (improper bounds checking and certificate validation bypass), the device either crashes (availability impact) or accepts invalid certificates, enabling the attacker to intercept or manipulate encrypted communications without detection.

Prerequisites

Network access to the device's Ethernet or communication interface
No authentication required to trigger the vulnerability

remotely exploitableno authentication requiredlow complexityaffects availabilitycertificate validation bypass enables man-in-the-middle attacks

Exploitability

Low exploit probability (EPSS 1.0%)

Affected products (6)

6 with fix

ProductAffected VersionsFix Status

LOGO! CMR2020< V2.22.2

LOGO! CMR2040< V2.22.2

SIMATIC RTU3010C< V5.0.145.0.14

SIMATIC RTU3030C< V5.0.145.0.14

SIMATIC RTU3031C< V5.0.145.0.14

SIMATIC RTU3041C< V5.0.145.0.14

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDIf immediate patching is not possible, restrict network access to the affected devices using firewall rules or network segmentation to limit exposure to untrusted network segments

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

LOGO! CMR2020

HOTFIXUpdate LOGO! CMR2020 and CMR2040 to firmware version 2.2 or later

SIMATIC RTU3010C

HOTFIXUpdate SIMATIC RTU3010C, RTU3030C, RTU3031C, and RTU3041C to firmware version 5.0.14 or later

CVEs (2)

CVE-2020-36475 CVE-2020-36478

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6ad292db-43af-4054-a10a-e715af2bd31d