OpenSSL Vulnerabilities in Industrial Products
Monitor5.9SSA-772220Jul 13, 2021
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
OpenSSL versions 1.1.1 prior to 1.1.1k contain a vulnerability that allows an unauthenticated attacker to trigger a denial-of-service condition by sending a specially crafted renegotiation message. Siemens has embedded this vulnerable OpenSSL version in numerous products across its automation portfolio, including S7-1200 and S7-1500 PLCs, PCS 7 SCADA systems, SCALANCE industrial networking equipment, SIMATIC communication modules, HMI panels, radio frequency identification (RFID) readers, and other control system devices. An attacker with network access to the affected device's secure communication interface can exploit this vulnerability to crash the device, disrupting process operations until manual intervention restarts it.
What this means
What could happen
An attacker can send a specially crafted message to trigger a denial-of-service (DoS) attack on affected Siemens controllers and network devices, causing them to crash and interrupting process operations until they are manually restarted.
Who's at risk
Manufacturing and transportation organizations using Siemens industrial controllers, communication modules, network devices (SCALANCE), and human-machine interfaces. This broadly affects process control (PLC/CPU models), fieldbus gateways, industrial Ethernet switches and routers, radio frequency readers, engineering workstations, and SCADA runtime environments.
How it could be exploited
An attacker with network access to the device's OpenSSL communication port (typically HTTPS or secure OPC UA) sends a malicious renegotiation message. The vulnerable OpenSSL library fails to handle the message correctly and crashes the affected device. No authentication or user interaction is required.
Prerequisites
- Network access to the affected device's secure communication port (HTTPS, OPC UA, or equivalent)
- Device running vulnerable OpenSSL version (1.1.1 < 1.1.1k)
Remotely exploitableNo authentication requiredLow attack complexityHigh impact on availability (DoS)Affects core process control systemsWide range of affected products across critical infrastructureNo patch available for some legacy products
Exploitability
Moderate exploit probability (EPSS 8.4%)
Affected products (94)
87 with fix7 pending
ProductAffected VersionsFix Status
SIMATIC MV550 S (6GF3550-0CD10)<V3.13.1
SIMATIC MV560 U (6GF3560-0LE10)<V3.13.1
SIMATIC MV560 X (6GF3560-0HE10)<V3.13.1
SIMATIC PCS 7 TeleControl<V9.19.1
SIMATIC PCS neo<V3.13.1
Remediation & Mitigation
0/22
Schedule — requires maintenance window
0/21Patching may require device reboot — plan for process interruption
SIMATIC PCS 7 TeleControl
HOTFIXUpdate SIMATIC PCS 7 TeleControl to V9.1 or later
SIMATIC PCS neo
HOTFIXUpdate SIMATIC PCS neo to V3.1 or later
SIMATIC PDM
HOTFIXUpdate SIMATIC PDM to V9.2 SP1 or later
RUGGEDCOM CROSSBOW Station Access Controller (SAC)
HOTFIXUpdate RUGGEDCOM CROSSBOW Station Access Controller (SAC) to V5.3 or later
SIMATIC Logon V1.6
HOTFIXUpdate SIMATIC Logon V1.6 to Update 5 or later
SIMATIC WinCC Runtime Advanced
HOTFIXUpdate SIMATIC WinCC Runtime Advanced to V17 Update 1 or later
SIMATIC WinCC TeleControl
HOTFIXUpdate SIMATIC WinCC TeleControl to V7.5 or later
SINEC NMS
HOTFIXUpdate SINEC NMS to V1.0 SP2 or later
SINEMA Server
HOTFIXUpdate SINEMA Server to V14 SP3 or later
SINUMERIK OPC UA Server
HOTFIXUpdate SINUMERIK OPC UA Server to V3.1 SP1 or later
TIA Administrator
HOTFIXUpdate TIA Administrator to V1.0 SP4 or later
TIM 1531 IRC
HOTFIXUpdate TIM 1531 IRC to V2.2 or later
All products
HOTFIXUpdate SIMATIC S7-1200 CPU family to firmware V4.5.2 or later
HOTFIXUpdate SIMATIC S7-1500 CPU 1518-4 PN/DP MFP family to firmware V2.9.3 or later
HOTFIXUpdate SIMATIC MV-series controllers (MV540, MV550, MV560) to firmware V3.1 or later
HOTFIXUpdate SIMATIC RF-series readers (RF166C, RF185C, RF186C, RF188C, RF360R, RF610R, RF615R, RF650R, RF680R, RF685R) to firmware V2.0 or V4.0 as applicable
HOTFIXUpdate RUGGEDCOM RM1224 LTE models to V7.1 or later
HOTFIXUpdate SCALANCE routers and switches (LPE9403, M804PB, M812-1, M816-1, M826-2, M874 series, M876 series, S615, SC622-2C, SC632-2C, SC636-2C, SC642-2C, SC646-2C, W1748-1, W1788 series, XB-200, XC-200, XF-200BA, XM-400, XP-200, XR-300WG, XR-500) to firmware V7.1, V4.3, V6.4, V3.0, or V2.1.4 as applicable
HOTFIXUpdate SIMATIC Cloud Connect 7 (CC712, CC716) to V1.6 or later
HOTFIXUpdate SIMATIC CP (communication modules) to appropriate fixed versions: CP 1242-7 V2 to V3.3.46, CP 1243 series to V3.3.46, CP 1542SP-1 IRC to V2.2.28, CP 1543-1 to V3.0, CP 1545-1 to V1.1
HOTFIXUpdate SIMATIC HMI Comfort Panels, Comfort Outdoor Panels, and KTP Mobile Panels to V17.0 Upd 2 or later
Long-term hardening
0/1SIMATIC Process Historian OPC UA Server
HARDENINGFor products with no fix available (SIMATIC Process Historian OPC UA Server, SCALANCE S602/S612/S623/S627-2M, SCALANCE W-700, SINAMICS Connect 300): implement network segmentation to restrict access to the device, monitor for unexpected disconnections, and establish procedures to quickly recover from crashes
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/ad2b903b-f84b-4047-aecf-b671327f0ea6