Direct Memory Access Vulnerabilities in SIMATIC CP Devices

Monitor6.7SSA-784849Oct 10, 2023

Attack VectorLocal

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

Several SIMATIC CP communications processor devices (CP 1604, CP 1616, CP 1623, CP 1626, CP 1628) contain direct memory access vulnerabilities that could allow an attacker with administrative privileges to execute code, bypass network access controls, or perform denial-of-service attacks on PROFINET communication. Siemens has not released firmware updates to address these vulnerabilities. The vulnerability requires high-level privileges and local or management interface access to exploit.

What this means

What could happen

An attacker with local administrative access to a SIMATIC CP communications module could exploit direct memory access to execute arbitrary code, bypass network security controls, or disrupt PROFINET communication to your plant network.

Who's at risk

This affects SIMATIC CP (Communications Processor) modules in your Siemens PROFINET gateways and industrial automation controllers, which are critical for network communication and data flow between automation devices. Organizations using Siemens automation systems for water distribution, wastewater treatment, electric generation, or other process control should assess if these modules are in use.

How it could be exploited

An attacker with high-level privileges on the engineering workstation or control system that hosts the CP device could exploit direct memory access vulnerabilities to write malicious code directly into device memory, gaining execution capability or modifying PROFINET network traffic policies. This requires interactive access to the device or its host system.

Prerequisites

High-privilege (administrative/engineering) access to the SIMATIC CP device or its host system
Local physical or remote management interface access (not exposed to untrusted networks if properly configured)
Knowledge of CP device memory layout

Requires high-level credentials to exploitNo vendor patch availableLocal attack vector onlyAffects network gateway devices

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (5)

5 EOL

ProductAffected VersionsFix Status

SIMATIC CP 1604 (6GK1160-4AA01)All versionsNo fix (EOL)

SIMATIC CP 1616 (6GK1161-6AA02)All versionsNo fix (EOL)

SIMATIC CP 1623 (6GK1162-3AA00)All versionsNo fix (EOL)

SIMATIC CP 1628 (6GK1162-8AA00)All versionsNo fix (EOL)

SIMATIC CP 1626 (6GK1162-6AA01)All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGApply network segmentation and firewall rules to restrict direct access to SIMATIC CP devices to authorized engineering workstations only

WORKAROUNDDisable or restrict remote management and direct memory access interfaces to SIMATIC CP devices if not actively used for operations

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGImplement physical or logical access controls to limit who can connect engineering tools to the CP device

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: SIMATIC CP 1604 (6GK1160-4AA01), SIMATIC CP 1616 (6GK1161-6AA02), SIMATIC CP 1623 (6GK1162-3AA00), SIMATIC CP 1628 (6GK1162-8AA00), SIMATIC CP 1626 (6GK1162-6AA01). Apply the following compensating controls:

HARDENINGFollow Siemens operational security guidelines (https://www.siemens.com/cert/operational-guidelines-industrial-security) for Protected IT environment configuration

CVEs (2)

CVE-2023-37194 CVE-2023-37195

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/a662ecfc-5000-4090-8307-e6a3cde34850