Denial of Service Vulnerability over SNMP in Multiple Industrial Products

Act Now7.5SSA-978220Feb 11, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A denial of service vulnerability exists in multiple Siemens industrial communication modules and network switches due to insufficient input validation in SNMP packet processing. An attacker can send specially crafted packets to UDP port 161 to cause the device to crash. Affected products include SCALANCE network switches (S602, S612, S623, S627-2M), SIMATIC CP communication processors (CP 443-1 variants, CP 1623, CP 1626, CP 1628, CP 343-1 variants), TIM modules, and IE/PB link converters. For many products, no firmware fix is available from Siemens.

What this means

What could happen

An attacker on the network can send specially crafted SNMP packets to port 161 to crash industrial communication modules and switches, interrupting data flow between your control systems and field devices until the equipment restarts.

Who's at risk

Manufacturing facilities using Siemens SCALANCE switches, SIMATIC communication processors (CP 443, CP 1623, CP 1626, CP 1628), TIM modules, and IE/PB PN IO converters for industrial Ethernet networks. This includes any facility where these modules connect PLCs, field devices, or process control systems.

How it could be exploited

An attacker sends a malformed SNMP packet to UDP port 161 on any vulnerable network interface module or switch. The device fails to validate the packet structure, crashes, and becomes unavailable. No authentication is required.

Prerequisites

Network access to UDP port 161 on the affected device
Device must have SNMP service enabled (typically enabled by default)
Device is reachable from the attacker's network segment

Remotely exploitableNo authentication requiredLow complexity attackHigh EPSS score (17.8%)No patch available for multiple product lines (SCALANCE S, CP 343, CP 1623, CP 1628, CP 443-1 OPC UA, and others)

Exploitability

High exploit probability (EPSS 17.8%)

Affected products (18)

12 with fix6 EOL

ProductAffected VersionsFix Status

SIMATIC CP 1623 (6GK1162-3AA00)All versions < V14.00.15.00 51.25.00.0114.00.15.00_51.25.00.01

SCALANCE S623< V4.1No fix (EOL)

IE/PB link PN IO (6GK1411-5AB10)< V4.0.14.0.1

SIMATIC CP 1626 (6GK1162-6AA01)< V1.1.11.1.1

SIMATIC CP 443-1< V3.33.3

Remediation & Mitigation

0/14

Do now

0/2

WORKAROUNDRestrict network access to UDP port 161 on affected devices using firewall rules to only allow authorized monitoring stations

WORKAROUNDDisable SNMP service on affected devices if monitoring is not required

Schedule — requires maintenance window

0/11

Patching may require device reboot — plan for process interruption

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: SCALANCE S623, SCALANCE S602, SCALANCE S612, SCALANCE S627-2M, SIMATIC CP 343-1 Advanced, SIPLUS NET CP 343-1 Advanced. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate industrial communication modules and switches from untrusted network segments

CVEs (2)

CVE-2015-5621 CVE-2018-18065

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close