Multiple LLDP Vulnerabilities in Industrial Products

Act Now9.8SSA-941426Jul 13, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities exist in a third-party Link Layer Discovery Protocol (LLDP) library used by Siemens industrial control and HMI products. The vulnerabilities are related to CWE-120 (buffer copy without checking size of input) and CWE-400 (uncontrolled resource consumption). These affect communication processors, HMI panels, and networking modules across the SIMATIC, SIPLUS, and SINUMERIK product lines. Siemens has released firmware updates for all affected products addressing these vulnerabilities.

What this means

What could happen

An attacker on your network could send specially crafted LLDP packets to networking modules or communication processors, causing a buffer overflow or denial of service that could disrupt plant operations or allow remote code execution on critical control equipment.

Who's at risk

Manufacturing and transportation organizations using Siemens industrial control and HMI equipment are affected. Specifically: Siemens CP (communication processor) modules used in S7-1200 and S7-1500 systems, SIPLUS hardened variants of CP and networking modules, HMI panels (Unified Comfort Panels), CNC controllers (SINUMERIK ONE MCP), and industrial terminals (TIM 1531 IRC). Any facility relying on these devices for process control, manufacturing execution, or plant networking is at risk.

How it could be exploited

An attacker with network access to your industrial devices (PLCs, HMIs, networking modules) sends malformed LLDP discovery packets. The vulnerable LLDP library processes these packets without proper bounds checking, triggering a buffer overflow or resource exhaustion. This could allow code execution on the device or cause it to crash and stop responding to control commands.

Prerequisites

Network access to the device or network segment where the affected communication processor or HMI resides
Ability to send Layer 2 LLDP frames on the local network, or Layer 3 access to the device's management interface
No authentication required to trigger the vulnerability

remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.8)affects critical control system componentsbuffer overflow and resource exhaustion vulnerabilities

Exploitability

Moderate exploit probability (EPSS 4.2%)

Affected products (17)

17 with fix

ProductAffected VersionsFix Status

SIMATIC CP 1545-1< V1.11.1

SIMATIC HMI Unified Comfort Panels< V1717

SINUMERIK ONE MCP< V2.0.12.0.1

SIPLUS ET 200SP CP 1542SP-1 IRC TX RAIL< V2.2.282.2.28

SIPLUS ET 200SP CP 1543SP-1 ISEC< V2.2.282.2.28

Remediation & Mitigation

0/14

Do now

0/2

HARDENINGImplement network segmentation and firewall rules to restrict LLDP traffic (UDP port 3702 and multicast LLDP frames) to trusted management networks only

WORKAROUNDDisable LLDP on devices that do not require automatic neighbor discovery, if the device firmware supports this feature

Schedule — requires maintenance window

0/12

Patching may require device reboot — plan for process interruption

CVEs (2)

CVE-2015-8011 CVE-2020-27827

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close