Skip to main content
(844) 422-7000

KNX Protocol

1. EXECUTIVE SUMMARY

CVSS v3 7.5 
ATTENTION: Exploitable remotely/low attack complexity/known public exploitation 
Vendor: KNX Association 
Equipment: KNX devices using KNX Connection Authorization 
Vulnerability: Overly Restrictive Account Lockout Mechanism 

2. RISK EVALUATION

Successful exploitation of this vulnerability could cause users to lose access to their device, potentially with no way to reset the device. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following devices using KNX Protocol are affected: 

KNX devices using Connection Authorization Option 1 Style in which no BCU Key is currently set: All versions 

3.2 VULNERABILITY OVERVIEW

3.2.1 OVERLY RESTRICTIVE ACCOUNT LOCKOUT MECHANISM CWE-645 

KNX devices that use KNX Connection Authorization and support Option 1 are, depending on the implementation, vulnerable to being locked and users being unable to reset them to gain access to the device. The BCU key feature on the devices can be used to create a password for the device, but this password can often not be reset without entering the current password. If the device is configured to interface with a network, an attacker with access to that network could interface with the KNX installation, purge all devices without additional security options enabled, and set a BCU key, locking the device. Even if a device is not connected to a network, an attacker with physical access to the device could also exploit this vulnerability in the same way. 

CVE-2023-4346 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing Sector
COUNTRIES/AREAS DEPLOYED: Europe 
COMPANY HEADQUARTERS LOCATION: Belgium 

3.4 RESEARCHER

Felix Eberstaller reported this vulnerability to CISA. 

4. MITIGATIONS

KNX Association recommends all system integrators, installers, ETS users, and end customers to follow common IT security guidelines. KNX Association recommends users follow the recommendations in the KNX Secure Checklist

The KNX Association also recommends developers always set the BCU Key in every KNX Project that is already finished and will be commissioned in the future. Handover the BCU Key as part of the Project Documentation to the Building Owner. 

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: 

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet
Locate control system networks and remote devices behind firewalls and isolate them from business networks. 
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. 

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. 

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. 

CISA has received reports of this vulnerability being actively exploited. 

​CODESYS Development System

1. EXECUTIVE SUMMARY

CVSS v3 7.3 
​ATTENTION: low attack complexity 
Vendor: CODESYS, GmbH 
​Equipment: CODESYS Development System 
Vulnerability: Uncontrolled Search Path Element. 

2. RISK EVALUATION

​Successful exploitation of this vulnerability could cause users to unknowingly launch a malicious binary placed by a local attacker. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

​CODESYS reports this vulnerability affects the following versions of CODESYS Development System: 

​CODESYS Development System: versions from 3.5.17.0 and prior to 3.5.19.20 

3.2 VULNERABILITY OVERVIEW

3.2.1 ​UNCONTROLLED SEARCH PATH ELEMENT CWE-427 

​In CODESYS Development System versions from 3.5.17.0 and prior to 3.5.19.20 a vulnerability allows for execution of binaries from the current working directory in the users’ context. 

CVE-2023-3662 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing 
​COUNTRIES/AREAS DEPLOYED: Worldwide 
​COMPANY HEADQUARTERS LOCATION: Germany 

3.4 RESEARCHER

​Carlo Di Dato of Deloitte Risk Advisory Italia – Vulnerability Research Team reported this vulnerability. CERT@VDE coordinated the vulnerability. 

4. MITIGATIONS

ODESYS recommends users update the CODESYS Development System to version 3.5.19.20. 

​The CODESYS Development System can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. 

​Alternatively, users may find further information on obtaining the software update in the CODESYS Update area

​For more information, please see the advisory CERT@VDE published for CODESYS at: 

https://cert.vde.com/en-us/advisories/vde-2023-021 

​CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: 

​Exercise principles of least privilege. 

​CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. 

​CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies

​Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies

​Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. 

​CISA also recommends users take the following measures to protect themselves from social engineering attacks: 

​Do not click web links or open attachments in unsolicited email messages. 
​Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. 
​Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. 

​No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability is not exploitable remotely. 

CODESYS Development System

1. EXECUTIVE SUMMARY

CVSS v3 9.6
ATTENTION: Exploitable remotely/low attack complexity 
Vendor: CODESYS, GmbH 
Equipment: CODESYS Development System 
Vulnerability: Insufficient Verification of Data Authenticity. 

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to execute a-man-in-the-middle (MITM) attack to execute arbitrary code. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

CODESYS reports this vulnerability affects the following versions of CODESYS Development System: 

CODESYS Development System: versions from 3.5.11.0 and prior to 3.5.19.20 

3.2 VULNERABILITY OVERVIEW

3.2.1 INSUFFICIENT VERIFICATION OF DATA AUTHENTICITY CWE-345 

In CODESYS Development System versions from 3.5.11.0 and before 3.5.19.20 a missing integrity check might allow an unauthenticated remote attacker to manipulate the content of notifications received via HTTP by the CODESYS notification server. 

CVE-2023-3663 has been assigned to this vulnerability. A CVSS v3 base score of 9.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing 
COUNTRIES/AREAS DEPLOYED: Worldwide 
COMPANY HEADQUARTERS LOCATION: Germany 

3.4 RESEARCHER

Sina Kheirkhah of Summoning Team working with Trend Micro Zero Day Initiative reported this vulnerability. CERT@VDE coordinated the vulnerability. 

4. MITIGATIONS

CODESYS recommends users update the CODESYS Development System to version 3.5.19.20. 

The CODESYS Development System can be downloaded and installed directly with the CODESYS Installer or be downloaded from the CODESYS Store. 

Alternatively, users may find further information on obtaining the software update in the CODESYS Update area

For more information, please see the advisory CERT@VDE published for CODESYS at: 

https://cert.vde.com/en-us/advisories/vde-2023-022 

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: 

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet
Locate control system networks and remote devices behind firewalls and isolate them from business networks. 
When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. 

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. 

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. 

CISA also recommends users take the following measures to protect themselves from social engineering attacks: 

Do not click web links or open attachments in unsolicited email messages. 
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. 
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. 

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. 

​OPTO 22 SNAP PAC S1

1. EXECUTIVE SUMMARY

CVSS v3 7.5 
​ATTENTION: Exploitable remotely/low attack complexity 
​Vendor: OPTO 22 
​Equipment: SNAP PAC S1 
​Vulnerabilities: Improper Restriction of Excessive Authentication Attempts, Weak Password Requirements, Improper Access Control, Uncontrolled Resource Consumption 

2. RISK EVALUATION

​Successful exploitation of these vulnerabilities could allow an attacker to brute force passwords, access certain device files, or cause a denial-of-service condition. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

​The following version of SNAP PAC S1, an industrial programmable automation controller, is affected: 

​SNAP PAC S1 Firmware: Version R10.3b 

3.2 VULNERABILITY OVERVIEW

3.2.1 ​IMPROPER RESTRICTION OF EXCESSIVE AUTHENTICATION ATTEMPTS CWE-307 

​There is no limit on the number of login attempts. This could allow a brute force attack on the built-in web server login. 

CVE-2023-40706 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). 

3.2.2 ​WEAK PASSWORD REQUIREMENTS CWE-521 

​There are no requirements for setting a complex password, which could allow a successful brute force attack if users don’t setup complex credentials. 

CVE-2023-40707 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). 

3.2.3 ​IMPROPER ACCESS CONTROL CWE-284 

​The File Transfer Protocol (FTP) port is open by default. This could allow an adversary to access some device files. 

CVE-2023-40708 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N). 

3.2.4 UNCONTROLLED RESOURCE CONSUMPTION CWE-400 

​An adversary could crash the entire device by sending large quantity of ICMP requests if the controller has the built-in web server enabled but not completely set-up and configured. 

CVE-2023-40709 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H). 

3.2.5 ​UNCONTROLLED RESOURCE CONSUMPTION CWE-400 

​An adversary could cause a continuous restart loop to the entire device by sending large quantity of HTTP GET requests if the controller has the built-in web server enabled but does not have the built-in web server completely set-up and configured. 

CVE-2023-40710 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been assigned; the CVSS vector string is (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H). 

3.3 BACKGROUND

​CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing 
COUNTRIES/AREAS DEPLOYED: Worldwide 
COMPANY HEADQUARTERS LOCATION: United States 

3.4 RESEARCHER

​Nicolas Cano of Dragos reported these vulnerabilities to CISA. 

4. MITIGATIONS

​OPTO 22 recommends users follow the direction Dragos and CISA provided for this vulnerability. 

​Dragos recommends users take the following actions: 

​Disable the built-in web server when not in use through the Network Security settings within the OPTO 22 Pac Manager software. 
​Restrict access to the built-in web server found on HTTPS (TCP/443). 
​Restrict access to the FTP Port (TCP/21). 
​Ensure user credentials are changed to something long, complex, and unique. 

​CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should: 

​Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet
​Locate control system networks and remote devices behind firewalls and isolate them from business networks. 
​When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices. 

​CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. 

​CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies

​Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies

​Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. 

​No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. 

Network Mirroring in Siemens RUGGEDCOM

1. EXECUTIVE SUMMARY

CVSS v3 9.1 
ATTENTION: Exploitable remotely / low attack complexity  
Vendor: Siemens  
Equipment: RUGGEDCOM 
Vulnerability: Incorrect Provision of Specified Functionality 

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to inject information into the network via the mirror port.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following products from Siemens are affected:

RUGGEDCOM i800: All versions prior to V4.3.8
RUGGEDCOM i800NC: All versions prior to V4.3.8
RUGGEDCOM i801: All versions prior to V4.3.8
RUGGEDCOM i801NC: All versions prior to V4.3.8
RUGGEDCOM i802: All versions prior to V4.3.8
RUGGEDCOM i802NC: All versions prior to V4.3.8
RUGGEDCOM i803: All versions prior to V4.3.8
RUGGEDCOM i803NC: All versions prior to V4.3.8
RUGGEDCOM M2100: All versions prior to V4.3.8
RUGGEDCOM M2100F: All versions
RUGGEDCOM M2100NC: All versions prior to V4.3.8
RUGGEDCOM M2200: All versions prior to V4.3.8
RUGGEDCOM M2200F: All versions
RUGGEDCOM M2200NC: All versions prior to V4.3.8
RUGGEDCOM M969: All versions prior to V4.3.8
RUGGEDCOM M969F: All versions
RUGGEDCOM M969NC: All versions prior to V4.3.8
RUGGEDCOM RMC30: All versions prior to V4.3.8
RUGGEDCOM RMC30NC: All versions prior to V4.3.8
RUGGEDCOM RMC8388 V4.X: All versions prior to V4.3.8
RUGGEDCOM RMC8388 V5.X: All versions
RUGGEDCOM RMC8388NC V4.X: All versions prior to V4.3.8
RUGGEDCOM RMC8388NC V5.X: All versions
RUGGEDCOM RP110: All versions prior to V4.3.8
RUGGEDCOM RP110NC: All versions prior to V4.3.8
RUGGEDCOM RS1600: All versions
RUGGEDCOM RS1600F: All versions
RUGGEDCOM RS1600FNC: All versions
RUGGEDCOM RS1600NC: All versions
RUGGEDCOM RS1600T: All versions
RUGGEDCOM RS1600TNC: All versions
RUGGEDCOM RS400: All versions
RUGGEDCOM RS400F: All versions
RUGGEDCOM RS400NC: All versions
RUGGEDCOM RS401: All versions
RUGGEDCOM RS401NC: All versions
RUGGEDCOM RS416: All versions prior to V4.3.8
RUGGEDCOM RS416F: All versions
RUGGEDCOM RS416NC: All versions prior to V4.3.8
RUGGEDCOM RS416NC v2: All versions
RUGGEDCOM RS416P: All versions prior to V4.3.8
RUGGEDCOM RS416PF: All versions
RUGGEDCOM RS416PNC: All versions prior to V4.3.8
RUGGEDCOM RS416PNC v2: All versions
RUGGEDCOM RS416Pv2: All versions
RUGGEDCOM RS416v2: All versions
RUGGEDCOM RS8000: All versions
RUGGEDCOM RS8000A: All versions
RUGGEDCOM RS8000ANC: All versions
RUGGEDCOM RS8000H: All versions
RUGGEDCOM RS8000HNC: All versions
RUGGEDCOM RS8000NC: All versions
RUGGEDCOM RS8000T: All versions
RUGGEDCOM RS8000TNC: All versions
RUGGEDCOM RS900: All versions prior to V4.3.8
RUGGEDCOM RS900: All versions with switch chip M88E6083
RUGGEDCOM RS900 (32M) V4.X: All versions prior to V4.3.8
RUGGEDCOM RS900 (32M) V5.X: All versions
RUGGEDCOM RS900F: All versions
RUGGEDCOM RS900G: All versions prior to V4.3.8
RUGGEDCOM RS900G (32M) V4.X: All versions prior to V4.3.8
RUGGEDCOM RS900G (32M) V5.X: All versions
RUGGEDCOM RS900GF: All versions
RUGGEDCOM RS900GNC: All versions prior to V4.3.8
RUGGEDCOM RS900GNC(32M) V4.X: All versions prior to V4.3.8
RUGGEDCOM RS900GNC(32M) V5.X: All versions
RUGGEDCOM RS900GP: All versions prior to V4.3.8
RUGGEDCOM RS900GPF: All versions
RUGGEDCOM RS900GPNC: All versions prior to V4.3.8
RUGGEDCOM RS900L: All versions prior to V4.3.8
RUGGEDCOM RS900L: All versions
RUGGEDCOM RS900LNC: All versions prior to V4.3.8
RUGGEDCOM RS900LNC: All versions
RUGGEDCOM RS900M-GETS-C01: All versions prior to V4.3.8
RUGGEDCOM RS900M-GETS-XX: All versions prior to V4.3.8
RUGGEDCOM RS900M-STND-C01: All versions prior to V4.3.8
RUGGEDCOM RS900M-STND-XX: All versions prior to V4.3.8
RUGGEDCOM RS900MNC-GETS-C01: All versions prior to V4.3.8
RUGGEDCOM RS900MNC-GETS-XX: All versions prior to V4.3.8
RUGGEDCOM RS900MNC-STND-XX: All versions prior to V4.3.8
RUGGEDCOM RS900MNC-STND-XX-C01: All versions prior to V4.3.8
RUGGEDCOM RS900NC: All versions prior to V4.3.8
RUGGEDCOM RS900NC: All versions
RUGGEDCOM RS900NC(32M) V4.X: All versions prior to V4.3.8
RUGGEDCOM RS900NC(32M) V5.X: All versions
RUGGEDCOM RS900W: All versions prior to V4.3.8
RUGGEDCOM RS910: All versions prior to V4.3.8
RUGGEDCOM RS910L: All versions prior to V4.3.8
RUGGEDCOM RS910LNC: All versions prior to V4.3.8
RUGGEDCOM RS910NC: All versions prior to V4.3.8
RUGGEDCOM RS910W: All versions prior to V4.3.8
RUGGEDCOM RS920L: All versions prior to V4.3.8
RUGGEDCOM RS920LNC: All versions prior to V4.3.8
RUGGEDCOM RS920W: All versions prior to V4.3.8
RUGGEDCOM RS930L: All versions prior to V4.3.8
RUGGEDCOM RS930LNC: All versions prior to V4.3.8
RUGGEDCOM RS930W: All versions prior to V4.3.8
RUGGEDCOM RS940G: All versions prior to V4.3.8
RUGGEDCOM RS940GF: All versions
RUGGEDCOM RS940GNC: All versions prior to V4.3.8
RUGGEDCOM RS969: All versions prior to V4.3.8
RUGGEDCOM RS969NC: All versions prior to V4.3.8
RUGGEDCOM RSG2100: All versions prior to V4.3.8
RUGGEDCOM RSG2100 (32M) V4.X: All versions prior to V4.3.8
RUGGEDCOM RSG2100 (32M) V5.X: All versions
RUGGEDCOM RSG2100F: All versions
RUGGEDCOM RSG2100NC: All versions prior to V4.3.8
RUGGEDCOM RSG2100NC(32M) V4.X: All versions prior to V4.3.8
RUGGEDCOM RSG2100NC(32M) V5.X: All versions
RUGGEDCOM RSG2100P: All versions prior to V4.3.8
RUGGEDCOM RSG2100PF: All versions
RUGGEDCOM RSG2100PNC: All versions prior to V4.3.8
RUGGEDCOM RSG2200: All versions prior to V4.3.8
RUGGEDCOM RSG2200F: All versions
RUGGEDCOM RSG2200NC: All versions prior to V4.3.8
RUGGEDCOM RSG2288 V4.X: All versions prior to V4.3.8
RUGGEDCOM RSG2288 V5.X: All versions
RUGGEDCOM RSG2288NC V4.X: All versions prior to V4.3.8
RUGGEDCOM RSG2288NC V5.X: All versions
RUGGEDCOM RSG2300 V4.X: All versions prior to V4.3.8
RUGGEDCOM RSG2300 V5.X: All versions
RUGGEDCOM RSG2300F: All versions
RUGGEDCOM RSG2300NC V4.X: All versions prior to V4.3.8
RUGGEDCOM RSG2300NC V5.X: All versions
RUGGEDCOM RSG2300P V4.X: All versions prior to V4.3.8 
RUGGEDCOM RSG2300P V5.X: All versions
RUGGEDCOM RSG2300PF: All versions
RUGGEDCOM RSG2300PNC V4.X: All versions prior to V4.3.8
RUGGEDCOM RSG2300PNC V5.X: All versions
RUGGEDCOM RSG2488 V4.X: All versions prior to V4.3.8
RUGGEDCOM RSG2488 V5.X: All versions
RUGGEDCOM RSG2488F: All versions
RUGGEDCOM RSG2488NC V4.X: All versions prior to V4.3.8
RUGGEDCOM RSG2488NC V5.X: All versions
RUGGEDCOM RSG907R: All versions
RUGGEDCOM RSG908C: All versions
RUGGEDCOM RSG909R: All versions
RUGGEDCOM RSG910C: All versions
RUGGEDCOM RSG920P V4.X: All versions prior to V4.3.8
RUGGEDCOM RSG920P V5.X: All versions
RUGGEDCOM RSG920PNC V4.X: All versions prior to V4.3.8
RUGGEDCOM RSG920PNC V5.X: All versions
RUGGEDCOM RSL910: All versions
RUGGEDCOM RSL910NC: All versions
RUGGEDCOM RST2228: All versions
RUGGEDCOM RST2228P: All versions
RUGGEDCOM RST916C: All versions
RUGGEDCOM RST916P: All version

3.2 VULNERABILITY OVERVIEW

3.2.1 INCORRECT PROVISION OF SPECIFIED FUNCTIONALITY CWE-684 

The affected products insufficiently block data from being forwarded over the mirror port into the mirrored network.  An attacker could use this behavior to transmit malicious packets to systems in the mirrored network, possibly influencing their configuration and runtime behavior.

CVE-2023-24845 has been assigned to this vulnerability. A CVSS v3 base score of 9.1 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported this vulnerability to CISA.

4. MITIGATIONS

Siemens has released updates for several affected products and recommends updating to the latest versions. Siemens is preparing further updates and recommends specific countermeasures for products where updates are not, or not yet available:

RUGGEDCOM i800: Update to V4.3.8 or later version
RUGGEDCOM i800NC: Update to V4.3.8 or later version
RUGGEDCOM i801: Update to V4.3.8 or later version
RUGGEDCOM i801NC: Update to V4.3.8 or later version
RUGGEDCOM i802: Update to V4.3.8 or later version
RUGGEDCOM i802NC: Update to V4.3.8 or later version
RUGGEDCOM i803: Update to V4.3.8 or later version
RUGGEDCOM i803NC: Update to V4.3.8 or later version
RUGGEDCOM M2100: Update to V4.3.8 or later version
RUGGEDCOM M2100F: Currently no fix is planned.
RUGGEDCOM M2100NC: Update to V4.3.8 or later version
RUGGEDCOM M2200: Update to V4.3.8 or later version
RUGGEDCOM M2200F: Currently no fix is planned.
RUGGEDCOM M2200NC: Update to V4.3.8 or later version
RUGGEDCOM M969: Update to V4.3.8 or later version
RUGGEDCOM M969F: Currently no fix is planned.
RUGGEDCOM M969NC: Update to V4.3.8 or later version
RUGGEDCOM RMC30: Update to V4.3.8 or later version
RUGGEDCOM RMC30NC: Update to V4.3.8 or later version
RUGGEDCOM RMC8388 V4.X: Update to V4.3.8 or later version
RUGGEDCOM RMC8388 V5.X: Currently no fix is available.
RUGGEDCOM RMC8388NC V4.X: Update to V4.3.8 or later version
RUGGEDCOM RMC8388NC V5.X: Currently no fix is available.
RUGGEDCOM RP110: Update to V4.3.8 or later version
RUGGEDCOM RP110NC: Update to V4.3.8 or later version
RUGGEDCOM RS1600: Currently no fix is planned.
RUGGEDCOM RS1600F: Currently no fix is planned.
RUGGEDCOM RS1600FNC: Currently no fix is planned.
RUGGEDCOM RS1600NC: Currently no fix is planned.
RUGGEDCOM RS1600T: Currently no fix is planned.
RUGGEDCOM RS1600TNC: Currently no fix is planned.
RUGGEDCOM RS400: Currently no fix is planned.
RUGGEDCOM RS400F: Currently no fix is planned.
RUGGEDCOM RS400NC: Currently no fix is planned.
RUGGEDCOM RS401: Currently no fix is planned.
RUGGEDCOM RS401NC: Currently no fix is planned.
RUGGEDCOM RS416: Update to V4.3.8 or later version
RUGGEDCOM RS416F: Currently no fix is planned.
RUGGEDCOM RS416NC: Update to V4.3.8 or later version
RUGGEDCOM RS416NC v2: Currently no fix is available.
RUGGEDCOM RS416P: Update to V4.3.8 or later version
RUGGEDCOM RS416PF: Currently no fix is planned.
RUGGEDCOM RS416PNC: Update to V4.3.8 or later version
RUGGEDCOM RS416PNC v2: Currently no fix is available.
RUGGEDCOM RS416Pv2: Currently no fix is available.
RUGGEDCOM RS416v2: Currently no fix is available.
RUGGEDCOM RS8000: Currently no fix is planned.
RUGGEDCOM RS8000A: Currently no fix is planned.
RUGGEDCOM RS8000ANC: Currently no fix is planned.
RUGGEDCOM RS8000H: Currently no fix is planned.
RUGGEDCOM RS8000HNC: Currently no fix is planned.
RUGGEDCOM RS8000NC: Currently no fix is planned.
RUGGEDCOM RS8000T: Currently no fix is planned.
RUGGEDCOM RS8000TNC: Currently no fix is planned.
RUGGEDCOM RS900: Update to V4.3.8 or later version
RUGGEDCOM RS900 with switch chip M88E6083: Currently no fix is planned.
RUGGEDCOM RS900 (32M) V4.X: Update to V4.3.8 or later version
RUGGEDCOM RS900 (32M) V5.X: Currently no fix is available.
RUGGEDCOM RS900F: Currently no fix is planned.
RUGGEDCOM RS900G: Update to V4.3.8 or later version
RUGGEDCOM RS900G (32M) V4.X: Update to V4.3.8 or later version
RUGGEDCOM RS900G (32M) V5.X: Currently no fix is available.
RUGGEDCOM RS900GF: Currently no fix is planned.
RUGGEDCOM RS900GNC: Update to V4.3.8 or later version
RUGGEDCOM RS900GNC(32M) V4.X: Update to V4.3.8 or later version
RUGGEDCOM RS900GNC(32M) V5.X: Currently no fix is available.
RUGGEDCOM RS900GP: Update to V4.3.8 or later version
RUGGEDCOM RS900GPF: Currently no fix is planned.
RUGGEDCOM RS900GPNC: Update to V4.3.8 or later version
RUGGEDCOM RS900L: Update to V4.3.8 or later version
RUGGEDCOM RS900L with switch chip M88E6083: Currently no fix is planned.
RUGGEDCOM RS900LNC: Update to V4.3.8 or later version
RUGGEDCOM RS900LNC with switch chip M88E6083: Currently no fix is planned.
RUGGEDCOM RS900M-GETS-C01: Update to V4.3.8 or later version
RUGGEDCOM RS900M-GETS-XX: Update to V4.3.8 or later version
RUGGEDCOM RS900M-STND-C01: Update to V4.3.8 or later version
RUGGEDCOM RS900M-STND-XX: Update to V4.3.8 or later version
RUGGEDCOM RS900MNC-GETS-C01: Update to V4.3.8 or later version
RUGGEDCOM RS900MNC-GETS-XX: Update to V4.3.8 or later version
RUGGEDCOM RS900MNC-STND-XX: Update to V4.3.8 or later version
RUGGEDCOM RS900MNC-STND-XX-C01: Update to V4.3.8 or later version
RUGGEDCOM RS900NC: Update to V4.3.8 or later version
RUGGEDCOM RS900NC with switch chip M88E6083: Currently no fix is planned.
RUGGEDCOM RS900NC(32M) V4.X: Update to V4.3.8 or later version
RUGGEDCOM RS900NC(32M) V5.X: Currently no fix is available.
RUGGEDCOM RS900W: Update to V4.3.8 or later version
RUGGEDCOM RS910: Update to V4.3.8 or later version
RUGGEDCOM RS910L: Update to V4.3.8 or later version
RUGGEDCOM RS910LNC: Update to V4.3.8 or later version
RUGGEDCOM RS910NC: Update to V4.3.8 or later version
RUGGEDCOM RS910W: Update to V4.3.8 or later version
RUGGEDCOM RS920L: Update to V4.3.8 or later version
RUGGEDCOM RS920LNC: Update to V4.3.8 or later version
RUGGEDCOM RS920W: Update to V4.3.8 or later version
RUGGEDCOM RS930L: Update to V4.3.8 or later version
RUGGEDCOM RS930LNC: Update to V4.3.8 or later version
RUGGEDCOM RS930W: Update to V4.3.8 or later version
RUGGEDCOM RS940G: Update to V4.3.8 or later version
RUGGEDCOM RS940GF: Currently no fix is planned.
RUGGEDCOM RS940GNC: Update to V4.3.8 or later version
RUGGEDCOM RS969: Update to V4.3.8 or later version
RUGGEDCOM RS969NC: Update to V4.3.8 or later version
RUGGEDCOM RSG2100: Update to V4.3.8 or later version
RUGGEDCOM RSG2100 (32M) V4.X: Update to V4.3.8 or later version
RUGGEDCOM RSG2100 (32M) V5.X: Currently no fix is available.
RUGGEDCOM RSG2100F: Currently no fix is planned.
RUGGEDCOM RSG2100NC: Update to V4.3.8 or later version
RUGGEDCOM RSG2100NC (32M) V4.X: Update to V4.3.8 or later version
RUGGEDCOM RSG2100NC (32M) V5.X: Currently no fix is available.
RUGGEDCOM RSG2100P: Update to V4.3.8 or later version
RUGGEDCOM RSG2100PF: Currently no fix is planned.
RUGGEDCOM RSG2100PNC: Update to V4.3.8 or later version
RUGGEDCOM RSG2200: Update to V4.3.8 or later version
RUGGEDCOM RSG2200F: Currently no fix is planned.
RUGGEDCOM RSG2200NC: Update to V4.3.8 or later version
RUGGEDCOM RSG2288 V4.X: Update to V4.3.8 or later version
RUGGEDCOM RSG2288 V5.X: Currently no fix is available.
RUGGEDCOM RSG2288NC V4.X: Update to V4.3.8 or later version
RUGGEDCOM RSG2288NC V5.X: Currently no fix is available.
RUGGEDCOM RSG2300 V4.X: Update to V4.3.8 or later version
RUGGEDCOM RSG2300 V5.X: Currently no fix is available.
RUGGEDCOM RSG2300F: Currently no fix is planned.
RUGGEDCOM RSG2300NC V4.X: Update to V4.3.8 or later version
RUGGEDCOM RSG2300NC V5.X: Currently no fix is available.
RUGGEDCOM RSG2300P V4.X: Update to V4.3.8 or later version
RUGGEDCOM RSG2300P V5.X: Currently no fix is available.
RUGGEDCOM RSG2300PF: Currently no fix is planned.
RUGGEDCOM RSG2300PNC V4.X: Update to V4.3.8 or later version
RUGGEDCOM RSG2300PNC V5.X: Currently no fix is available.
RUGGEDCOM RSG2488 V4.X: Update to V4.3.8 or later version
RUGGEDCOM RSG2488 V5.X: Currently no fix is available.
RUGGEDCOM RSG2488F: Currently no fix is planned.
RUGGEDCOM RSG2488NC V4.X: Update to V4.3.8 or later version
RUGGEDCOM RSG2488NC V5.X: Currently no fix is available.
RUGGEDCOM RSG907R: Currently no fix is available.
RUGGEDCOM RSG908C: Currently no fix is available.
RUGGEDCOM RSG909R: Currently no fix is available.
RUGGEDCOM RSG910C: Currently no fix is available.
RUGGEDCOM RSG920P V4.X: Update to V4.3.8 or later version
RUGGEDCOM RSG920P V5.X: Currently no fix is available.
RUGGEDCOM RSG920PNC V4.X: Update to V4.3.8 or later version
RUGGEDCOM RSG920PNC V5.X: Currently no fix is available.
RUGGEDCOM RSL910: Currently no fix is available.
RUGGEDCOM RSL910NC: Currently no fix is available.
RUGGEDCOM RST2228: Currently no fix is available.
RUGGEDCOM RST2228P: Currently no fix is available.
RUGGEDCOM RST916C: Currently no fix is available.
RUGGEDCOM RST916P: Currently no fix is available.

Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk:

Configure ingress filtering to control traffic flow when port mirroring is enabled:
Enable ingress filtering  
Disable RSTP on the target port(s)  
Disable neighbor discovery protocol on the target port(s)  
Disable LLDP on the target port(s) 

Further details can be found at  https://support.industry.siemens.com/cs/ww/en/view/109759351 

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-908185 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability. 

Siemens Address Processing in SIMATIC

1. EXECUTIVE SUMMARY

​CVSS v3 7.4
​ATTENTION: Exploitable remotely
​Vendor: Siemens
​Equipment: SIMATIC, SIPLUS
​Vulnerability: Improper Input Validation

2. RISK EVALUATION

​Successful exploitation of this vulnerability could allow an attacker to recover sensitive data or cause a denial-of-service condition.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

​The following products from Siemens are affected: 

​SIMATIC Drive Controller CPU 1504D TF (6ES7615-4DF10-0AB0): versions prior to V2.9.7
​SIMATIC Drive Controller CPU 1504D TF (6ES7615-4DF10-0AB0): versions V3.0.1 to V3.0.3
​SIMATIC Drive Controller CPU 1507D TF (6ES7615-7DF10-0AB0): versions prior to V2.9.7
​SIMATIC Drive Controller CPU 1507D TF (6ES7615-7DF10-0AB0): versions V3.0.1 to V3.0.3
​SIMATIC ET 200SP Open Controller (incl. SIPLUS variants): all versions
​SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants): all versions
​SIMATIC IPC DiagBase: all versions
​SIMATIC IPC DiagMonitor: all versions
​SIMATIC S7-1200 CPU family (incl. SIPLUS variants): all versions
​SIMATIC S7-1500 CPU 1510SP F-1 PN (6ES7510-1SJ00-0AB0): all versions
​SIMATIC S7-1500 CPU 1510SP F-1 PN (6ES7510-1SJ01-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1510SP F-1 PN (6ES7510-1SK03-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1510SP-1 PN (6ES7510-1DJ00-0AB0): all versions
​SIMATIC S7-1500 CPU 1510SP-1 PN (6ES7510-1DJ01-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1510SP-1 PN (6ES7510-1DK03-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK00-0AB0): all versions
​SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK01-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK02-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AL03-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK00-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK01-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK00-0AB0): all versions
​SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK01-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK02-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FL03-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TK01-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TL03-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UK01-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UL03-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK00-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK01-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1512SP F-1 PN (6ES7512-1SK00-0AB0): all versions
​SIMATIC S7-1500 CPU 1512SP F-1 PN (6ES7512-1SK01-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1512SP F-1 PN (6ES7512-1SM03-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1512SP-1 PN (6ES7512-1DK00-0AB0): all versions
​SIMATIC S7-1500 CPU 1512SP-1 PN (6ES7512-1DK01-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1512SP-1 PN (6ES7512-1DM03-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL00-0AB0): all versions
​SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL01-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL02-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AM03-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL00-0AB0): all versions
​SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL01-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL02-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FM03-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1513R-1 PN (6ES7513-1RL00-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1513R-1 PN (6ES7513-1RM03-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1514SP F-2 PN (6ES7514-2SN03-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1514SP-2 PN (6ES7514-2DN03-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1514SPT F-2 PN (6ES7514-2WN03-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1514SPT-2 PN (6ES7514-2VN03-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM00-0AB0): all versions
​SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM01-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM02-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AN03-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM00-0AB0): all versions
​SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM01-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM02-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FN03-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1515R-2 PN (6ES7515-2RM00-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1515R-2 PN (6ES7515-2RN03-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TM01-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TN03-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UM01-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UN03-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN00-0AB0): all versions
​SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN01-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN02-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AP03-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN00-0AB0): all versions
​SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN01-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN02-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FP03-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1516T-3 PN/DP (6ES7516-3TN00-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1516TF-3 PN/DP (6ES7516-3UN00-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1517-3 PN/DP (6ES7517-3AP00-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1517F-3 PN/DP (6ES7517-3FP00-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1517H-3 PN (6ES7517-3HP00-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1517T-3 PN/DP (6ES7517-3TP00-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1517TF-3 PN/DP (6ES7517-3UP00-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1518-4 PN/DP (6ES7518-4AP00-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1518F-4 PN/DP (6ES7518-4FP00-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1518HF-4 PN (6ES7518-4JP00-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1518T-4 PN/DP (6ES7518-4TP00-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1518TF-4 PN/DP (6ES7518-4UP00-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU S7-1518-4 PN/DP ODK (6ES7518-4AP00-3AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU S7-1518F-4 PN/DP ODK (6ES7518-4FP00-3AB0): versions prior to V2.9.7
​SIMATIC S7-1500 ET 200pro: CPU 1513PRO F-2 PN (6ES7513-2GL00-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 ET 200pro: CPU 1513PRO-2 PN (6ES7513-2PL00-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 ET 200pro: CPU 1516PRO F-2 PN (6ES7516-2GN00-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 ET 200pro: CPU 1516PRO-2 PN (6ES7516-2PN00-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 Software Controller: all versions
​SIMATIC S7-PLCSIM Advanced: all versions
​SIPLUS ET 200SP CPU 1510SP F-1 PN (6AG1510-1SJ01-2AB0): versions prior to V2.9.7
​SIPLUS ET 200SP CPU 1510SP F-1 PN RAIL (6AG2510-1SJ01-1AB0): versions prior to V2.9.7
​SIPLUS ET 200SP CPU 1510SP-1 PN (6AG1510-1DJ01-2AB0): versions prior to V2.9.7
​SIPLUS ET 200SP CPU 1510SP-1 PN (6AG1510-1DJ01-7AB0): versions prior to V2.9.7
​SIPLUS ET 200SP CPU 1510SP-1 PN RAIL (6AG2510-1DJ01-4AB0): versions prior to V2.9.7
​SIPLUS ET 200SP CPU 1510SP-1 PN RAIL (6AG2510-1DJ01-1AB0): versions prior to V2.9.7
​SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK00-2AB0): all versions
​SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK01-2AB0): versions prior to V2.9.7
​SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK01-7AB0): versions prior to V2.9.7
​SIPLUS ET 200SP CPU 1512SP F-1 PN RAIL (6AG2512-1SK01-1AB0): versions prior to V2.9.7
​SIPLUS ET 200SP CPU 1512SP F-1 PN RAIL (6AG2512-1SK01-4AB0): versions prior to V2.9.7
​SIPLUS ET 200SP CPU 1512SP-1 PN (6AG1512-1DK01-2AB0): versions prior to V2.9.7
​SIPLUS ET 200SP CPU 1512SP-1 PN (6AG1512-1DK01-7AB0): versions prior to V2.9.7
​SIPLUS ET 200SP CPU 1512SP-1 PN RAIL (6AG2512-1DK01-4AB0): versions prior to V2.9.7
​SIPLUS ET 200SP CPU 1512SP-1 PN RAIL (6AG2512-1DK01-1AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK00-2AB0): all versions
​SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK01-2AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK02-2AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK01-7AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK02-7AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL (6AG2511-1AK01-1AB0): versions prior to V2.9.7 
​SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL (6AG2511-1AK02-1AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1511-1 PN TX RAIL (6AG2511-1AK01-4AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1511-1 PN TX RAIL (6AG2511-1AK02-4AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK00-2AB0): all versions
​SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK01-2AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK02-2AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL00-2AB0): all versions 
​SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL01-7AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL01-2AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL02-2AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL02-7AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL00-2AB0): all versions
​SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL01-2AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL02-2AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1515F-2 PN (6AG1515-2FM01-2AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1515F-2 PN (6AG1515-2FM02-2AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1515F-2 PN RAIL (6AG2515-2FM02-4AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1515F-2 PN T2 RAIL (6AG2515-2FM01-2AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1515R-2 PN (6AG1515-2RM00-7AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1515R-2 PN TX RAIL (6AG2515-2RM00-4AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN00-2AB0): all versions
​SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN00-7AB0): all versions
​SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN01-7AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN01-2AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN02-2AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN02-7AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1516-3 PN/DP RAIL (6AG2516-3AN02-4AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1516-3 PN/DP TX RAIL (6AG2516-3AN01-4AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN00-2AB0): all versions
​SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN02-2AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN01-2AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1516F-3 PN/DP RAIL (6AG2516-3FN02-2AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1516F-3 PN/DP RAIL (6AG2516-3FN02-4AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1517H-3 PN (6AG1517-3HP00-4AB0): versions prior to V3.0.3
​SIPLUS S7-1500 CPU 1518-4 PN/DP (6AG1518-4AP00-4AB0): versions prior to V3.0.3
​SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0): versions prior to V3.0.3
​SIPLUS S7-1500 CPU 1518F-4 PN/DP (6AG1518-4FP00-4AB0): versions prior to V3.0.3
​SIPLUS S7-1500 CPU 1518HF-4 PN (6AG1518-4JP00-4AB0): versions prior to V3.0.3

3.2 VULNERABILITY OVERVIEW

3.2.1 ​IMPROPER INPUT VALIDATION CWE-20

​There is a type confusion vulnerability relating to X.400 address processing inside an X.509 GeneralName. This vulnerability may allow an attacker to pass arbitrary pointers to a memcmp call, enabling them to read memory contents or enact a denial of service.

CVE-2023-0286 has been assigned to this vulnerability. A CVSS v3 base score of 7.4 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:H).

3.3 BACKGROUND

​CRITICAL INFRASTRUCTURE SECTORS: Multiple
​COUNTRIES/AREAS DEPLOYED: Worldwide
​COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

​Siemens reported this vulnerability to CISA.

4. MITIGATIONS

​Siemens has released updates for several affected products and recommends updating to the latest versions. Siemens is preparing further updates and recommends specific countermeasures for products where updates are not, or not yet available:

​SIMATIC Drive Controller CPU 1504D TF (6ES7615-4DF10-0AB0): Update to V2.9.7 or later
​SIMATIC Drive Controller CPU 1504D TF (6ES7615-4DF10-0AB0): Update to V3.0.3 or later
​SIMATIC Drive Controller CPU 1507D TF (6ES7615-7DF10-0AB0): Update to V2.9.7 or later
​SIMATIC Drive Controller CPU 1507D TF (6ES7615-7DF10-0AB0): Update to V3.0.3 or later
​SIMATIC S7-1500 CPU 1510SP F-1 PN (6ES7510-1SJ01-0AB0): Update to V2.9.7 or later
​SIMATIC S7-1500 CPU 1510SP F-1 PN (6ES7510-1SK03-0AB0): Update to V3.0.3 or later
​SIMATIC S7-1500 CPU 1510SP-1 PN (6ES7510-1DJ01-0AB0): Update to V2.9.7 or later
​SIMATIC S7-1500 CPU 1510SP-1 PN (6ES7510-1DK03-0AB0): Update to V3.0.3 or later
​SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK01-0AB0): Update to V2.9.7 or later
​SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK02-0AB0): Update to V2.9.7 or later
​SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AL03-0AB0): Update to V3.0.3 or later
​SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK00-0AB0): Update to V2.9.7 or later
​SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK01-0AB0): Update to V2.9.7 or later
​SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK01-0AB0): Update to V2.9.7 or later
​SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK02-0AB0): Update to V2.9.7 or later
​SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FL03-0AB0): Update to V3.0.3 or later
​SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TK01-0AB0): Update to V2.9.7 or later
​SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TL03-0AB0): Update to V3.0.3 or later
​SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UK01-0AB0): Update to V2.9.7 or later
​SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UL03-0AB0): Update to V3.0.3 or later
​SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK00-0AB0): Update to V2.9.7 or later
​SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK01-0AB0): Update to V2.9.7 or later
​SIMATIC S7-1500 CPU 1512SP F-1 PN (6ES7512-1SK01-0AB0): Update to V2.9.7 or later
​SIMATIC S7-1500 CPU 1512SP F-1 PN (6ES7512-1SM03-0AB0): Update to V3.0.3 or later
​SIMATIC S7-1500 CPU 1512SP-1 PN (6ES7512-1DK01-0AB0): Update to V2.9.7 or later
​SIMATIC S7-1500 CPU 1512SP-1 PN (6ES7512-1DM03-0AB0): Update to V3.0.3 or later
​SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL01-0AB0): Update to V2.9.7 or later
​SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL02-0AB0): Update to V2.9.7 or later
​SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AM03-0AB0): Update to V3.0.3 or later
​SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL01-0AB0): Update to V2.9.7 or later
​SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL02-0AB0): Update to V2.9.7 or later
​SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FM03-0AB0): Update to V3.0.3 or later
​SIMATIC S7-1500 CPU 1513R-1 PN (6ES7513-1RL00-0AB0): Update to V2.9.7 or later
​SIMATIC S7-1500 CPU 1513R-1 PN (6ES7513-1RM03-0AB0): Update to V3.0.3 or later
​SIMATIC S7-1500 CPU 1514SP F-2 PN (6ES7514-2SN03-0AB0): Update to V3.0.3 or later
​SIMATIC S7-1500 CPU 1514SP-2 PN (6ES7514-2DN03-0AB0): Update to V3.0.3 or later
​SIMATIC S7-1500 CPU 1514SPT F-2 PN (6ES7514-2WN03-0AB0): Update to V3.0.3 or later
​SIMATIC S7-1500 CPU 1514SPT-2 PN (6ES7514-2VN03-0AB0): Update to V3.0.3 or later
​SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM01-0AB0): Update to V2.9.7 or later
​SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM02-0AB0): Update to V2.9.7 or later
​SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AN03-0AB0): Update to V3.0.3 or later
​SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM01-0AB0): Update to V2.9.7 or later
​SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM02-0AB0): Update to V2.9.7 or later
​SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FN03-0AB0): Update to V3.0.3 or later
​SIMATIC S7-1500 CPU 1515R-2 PN (6ES7515-2RM00-0AB0): Update to V2.9.7 or later
​SIMATIC S7-1500 CPU 1515R-2 PN (6ES7515-2RN03-0AB0): Update to V3.0.3 or later
​SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TM01-0AB0): Update to V2.9.7 or later
​SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TN03-0AB0): Update to V3.0.3 or later
​SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UM01-0AB0): Update to V2.9.7 or later
​SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UN03-0AB0): Update to V3.0.3 or later
​SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN01-0AB0): Update to V2.9.7 or later
​SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN02-0AB0): Update to V2.9.7 or later
​SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AP03-0AB0): Update to V3.0.3 or later
​SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN01-0AB0): Update to V2.9.7 or later
​SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN02-0AB0): Update to V2.9.7 or later
​SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FP03-0AB0): Update to V3.0.3 or later
​SIMATIC S7-1500 CPU 1516T-3 PN/DP (6ES7516-3TN00-0AB0): Update to V3.0.3 or later
​SIMATIC S7-1500 CPU 1516TF-3 PN/DP (6ES7516-3UN00-0AB0): Update to V3.0.3 or later
​SIMATIC S7-1500 CPU 1517-3 PN/DP (6ES7517-3AP00-0AB0): Update to V3.0.3 or later
​SIMATIC S7-1500 CPU 1517F-3 PN/DP (6ES7517-3FP00-0AB0): Update to V3.0.3 or later
​SIMATIC S7-1500 CPU 1517H-3 PN (6ES7517-3HP00-0AB0): Update to V3.0.3 or later
​SIMATIC S7-1500 CPU 1517T-3 PN/DP (6ES7517-3TP00-0AB0): Update to V3.0.3 or later
​SIMATIC S7-1500 CPU 1517TF-3 PN/DP (6ES7517-3UP00-0AB0): Update to V3.0.3 or later
​SIMATIC S7-1500 CPU 1518-4 PN/DP (6ES7518-4AP00-0AB0): Update to V3.0.3 or later
​SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0): Update to V3.0.3 or later
​SIMATIC S7-1500 CPU 1518F-4 PN/DP (6ES7518-4FP00-0AB0): Update to V3.0.3 or later
​SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0): Update to V3.0.3 or later
​SIMATIC S7-1500 CPU 1518HF-4 PN (6ES7518-4JP00-0AB0): Update to V3.0.3 or later
​SIMATIC S7-1500 CPU 1518T-4 PN/DP (6ES7518-4TP00-0AB0): Update to V3.0.3 or later
​SIMATIC S7-1500 CPU 1518TF-4 PN/DP (6ES7518-4UP00-0AB0): Update to V3.0.3 or later
​SIMATIC S7-1500 CPU S7-1518-4 PN/DP ODK (6ES7518-4AP00-3AB0): Update to V2.9.7 or later
​SIMATIC S7-1500 CPU S7-1518F-4 PN/DP ODK (6ES7518-4FP00-3AB0): Update to V2.9.7 or later
​SIMATIC S7-1500 ET 200pro: CPU 1513PRO F-2 PN (6ES7513-2GL00-0AB0): Update to V2.9.7 or later
​SIMATIC S7-1500 ET 200pro: CPU 1513PRO-2 PN (6ES7513-2PL00-0AB0): Update to V2.9.7 or later
​SIMATIC S7-1500 ET 200pro: CPU 1516PRO F-2 PN (6ES7516-2GN00-0AB0): Update to V2.9.7 or later
​SIMATIC S7-1500 ET 200pro: CPU 1516PRO-2 PN (6ES7516-2PN00-0AB0): Update to V2.9.7 or later
​SIPLUS ET 200SP CPU 1510SP F-1 PN (6AG1510-1SJ01-2AB0): Update to V2.9.7 or later
​SIPLUS ET 200SP CPU 1510SP F-1 PN RAIL (6AG2510-1SJ01-1AB0): Update to V2.9.7 or later
​SIPLUS ET 200SP CPU 1510SP-1 PN (6AG1510-1DJ01-2AB0): Update to V2.9.7 or later
​SIPLUS ET 200SP CPU 1510SP-1 PN (6AG1510-1DJ01-7AB0): Update to V2.9.7 or later
​SIPLUS ET 200SP CPU 1510SP-1 PN RAIL (6AG2510-1DJ01-4AB0): Update to V2.9.7 or later
​SIPLUS ET 200SP CPU 1510SP-1 PN RAIL (6AG2510-1DJ01-1AB0): Update to V2.9.7 or later
​SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK01-2AB0): Update to V2.9.7 or later
​SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK01-7AB0): Update to V2.9.7 or later
​SIPLUS ET 200SP CPU 1512SP F-1 PN RAIL (6AG2512-1SK01-1AB0): Update to V2.9.7 or later
​SIPLUS ET 200SP CPU 1512SP F-1 PN RAIL (6AG2512-1SK01-4AB0): Update to V2.9.7 or later
​SIPLUS ET 200SP CPU 1512SP-1 PN (6AG1512-1DK01-2AB0): Update to V2.9.7 or later
​SIPLUS ET 200SP CPU 1512SP-1 PN (6AG1512-1DK01-7AB0): Update to V2.9.7 or later
​SIPLUS ET 200SP CPU 1512SP-1 PN RAIL (6AG2512-1DK01-4AB0): Update to V2.9.7 or later
​SIPLUS ET 200SP CPU 1512SP-1 PN RAIL (6AG2512-1DK01-1AB0): Update to V2.9.7 or later
​SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK01-2AB0): Update to V2.9.7 or later
​SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK02-2AB0): Update to V2.9.7 or later
​SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK01-7AB0): Update to V2.9.7 or later 
​SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK02-7AB0): Update to V2.9.7 or later
​SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL (6AG2511-1AK01-1AB0): Update to V2.9.7 or later
​SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL (6AG2511-1AK02-1AB0): Update to V2.9.7 or later
​SIPLUS S7-1500 CPU 1511-1 PN TX RAIL (6AG2511-1AK01-4AB0): Update to V2.9.7 or later
​SIPLUS S7-1500 CPU 1511-1 PN TX RAIL (6AG2511-1AK02-4AB0): Update to V2.9.7 or later
​SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK01-2AB0): Update to V2.9.7 or later
​SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK02-2AB0): Update to V2.9.7 or later
​SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL01-7AB0): Update to V2.9.7 or later
​SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL01-2AB0): Update to V2.9.7 or later
​SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL02-2AB0): Update to V2.9.7 or later
​SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL02-7AB0): Update to V2.9.7 or later
​SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL01-2AB0): Update to V2.9.7 or later
​SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL02-2AB0): Update to V2.9.7 or later
​SIPLUS S7-1500 CPU 1515F-2 PN (6AG1515-2FM01-2AB0): Update to V2.9.7 or later
​SIPLUS S7-1500 CPU 1515F-2 PN (6AG1515-2FM02-2AB0): Update to V2.9.7 or later
​SIPLUS S7-1500 CPU 1515F-2 PN RAIL (6AG2515-2FM02-4AB0): Update to V2.9.7 or later
​SIPLUS S7-1500 CPU 1515F-2 PN T2 RAIL (6AG2515-2FM01-2AB0): Update to V2.9.7 or later
​SIPLUS S7-1500 CPU 1515R-2 PN (6AG1515-2RM00-7AB0): Update to V2.9.7 or later
​SIPLUS S7-1500 CPU 1515R-2 PN TX RAIL (6AG2515-2RM00-4AB0): Update to V2.9.7 or later
​SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN01-7AB0): Update to V2.9.7 or later
​SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN01-2AB0): Update to V2.9.7 or later
​SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN02-2AB0): Update to V2.9.7 or later
​SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN02-7AB0): Update to V2.9.7 or later
​SIPLUS S7-1500 CPU 1516-3 PN/DP RAIL (6AG2516-3AN02-4AB0): Update to V2.9.7 or later
​SIPLUS S7-1500 CPU 1516-3 PN/DP TX RAIL (6AG2516-3AN01-4AB0): Update to V2.9.7 or later
​SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN02-2AB0): Update to V2.9.7 or later
​SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN01-2AB0): Update to V2.9.7 or later
​SIPLUS S7-1500 CPU 1516F-3 PN/DP RAIL (6AG2516-3FN02-2AB0): Update to V2.9.7 or later
​SIPLUS S7-1500 CPU 1516F-3 PN/DP RAIL (6AG2516-3FN02-4AB0): Update to V2.9.7 or later
​SIPLUS S7-1500 CPU 1517H-3 PN (6AG1517-3HP00-4AB0): Update to V3.0.3 or later
​SIPLUS S7-1500 CPU 1518-4 PN/DP (6AG1518-4AP00-4AB0): Update to V3.0.3 or later
​SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0): Update to V3.0.3 or later
​SIPLUS S7-1500 CPU 1518F-4 PN/DP (6AG1518-4FP00-4AB0): Update to V3.0.3 or later
​SIPLUS S7-1500 CPU 1518HF-4 PN (6AG1518-4JP00-4AB0): Update to V3.0.3 or later

​Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

​Disable CRL (certification revocation list) checking, if possible

​As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals. Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

​For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT 

​For more information see the associated Siemens security advisory SSA-264815 in HTML and CSAF.

​CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

​Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
​Locate control system networks and remote devices behind firewalls and isolate them from business networks.
​When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

​CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

​CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

​Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

​Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

​No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

​Siemens Software Center

1. EXECUTIVE SUMMARY

​CVSS v3 7.8
​ATTENTION: Exploitable remotely/low attack complexity
​Vendor: Siemens
​Equipment: Software Center
​Vulnerabilities: Uncontrolled Search Path Element, Path Traversal

2. RISK EVALUATION

​Successful exploitation of these vulnerabilities could allow a local attacker to execute code with elevated privileges.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

​The following products from Siemens are affected: 

​Siemens Software Center: All versions prior to v3.0

3.2 VULNERABILITY OVERVIEW

3.2.1 ​UNCONTROLLED SEARCH PATH ELEMENT CWE-427

​A DLL hijacking vulnerability could allow a local attacker to execute code with elevated privileges by placing a malicious DLL in one of the directories on the DLL search path.

CVE-2021-41544 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

3.2.2 ​IMPROPER LIMITATION OF A PATHNAME TO A RESTRICTED DIRECTORY (‘PATH TRAVERSAL’) CWE-22

​Qt through 5.15.8 and 6.x through 6.2.3 could load system library files from an unintended working directory.

CVE-2022-25634 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

3.3 BACKGROUND

​CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors
​COUNTRIES/AREAS DEPLOYED: Worldwide
​COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

​Samuel Hanson from Dragos reported these vulnerabilities to Siemens.

4. MITIGATIONS

​Siemens released an update V3.0 for the Siemens Software Center and recommends users update to the latest version. Existing installations of SSC will be prompted to update whenever a new version is available.

​Siemens identified the following specific workarounds and mitigations users can apply to reduce risk:

​Harden the application host to prevent local access by untrusted personnel.

​As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

​Additional information on Siemens industrial security can be found on the Siemens industrial security webpage.

​For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT.

​For more information, see the associated Siemens security advisory SSA-188491 in HTML and CSAF.

​CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

​Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
​Locate control system networks and remote devices behind firewalls and isolate them from business networks.
​When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

​CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

​CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

​Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

​Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

​CISA also recommends users take the following measures to protect themselves from social engineering attacks:

​Do not click web links or open attachments in unsolicited email messages.
​Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
​Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

​No known public exploits specifically target these vulnerabilities.

​Siemens Solid Edge, JT2Go, and Teamcenter Visualization

1. EXECUTIVE SUMMARY

​CVSS v3 7.8
​ATTENTION: Low attack complexity
​Vendor: Siemens
​Equipment: Solid Edge, JT2Go, and Teamcenter Visualization
​Vulnerabilities: Use After Free, Out-of-bounds Read, Out-of-bounds Write

2. RISK EVALUATION

​Successful exploitation of these vulnerabilities could allow an attacker to execute code in the context of the current process.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

​The following products from Siemens are affected:

​JT2Go: All versions prior to v14.2.0.5
​Solid Edge SE2022: All versions prior to v222.0 Update 13
​Solid Edge SE2023: All versions prior to v223.0 Update 4
​Teamcenter Visualization V13.2: All versions prior to v13.2.0.15
​Teamcenter Visualization V13.2: All versions prior to v13.2.0.14
​Teamcenter Visualization V13.3: All versions prior to v13.3.0.11
​Teamcenter Visualization V14.1: All versions prior to v14.1.0.11
​Teamcenter Visualization V14.1: All versions prior to v14.1.0.10
​Teamcenter Visualization V14.2: All versions prior to v14.2.0.5

3.2 VULNERABILITY OVERVIEW

3.2.1 ​USE AFTER FREE CWE-416

​The affected application contains a use-after-free vulnerability that could be triggered while parsing specially crafted ASM file. An attacker could leverage this vulnerability to execute code in the context of the current process.

CVE-2023-28830 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.2 ​OUT-OF-BOUNDS READ CWE-125

​The affected applications contain an out-of-bounds read past the end of an allocated structure while parsing specially crafted TIFF files. This could allow an attacker to execute code in the context of the current process.

CVE-2023-38682 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.3 ​OUT-OF-BOUNDS WRITE CWE-787

​The affected application contains an out-of-bounds write past the end of an allocated buffer while parsing a specially crafted TIFF file. This could allow an attacker to execute code in the context of the current process.

CVE-2023-38683 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.3 BACKGROUND

​CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors
​COUNTRIES/AREAS DEPLOYED: Worldwide
​COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

​Jin Huang from ADLab of Venustech and Michael Heinzl reported these vulnerabilities to Siemens.

4. MITIGATIONS

iemens released updates for the affected products and recommends updating to the latest versions:

​Teamcenter Visualization V14.1: Update to V14.1.0.10 or later version.
​Teamcenter Visualization V13.2: Update to V13.2.0.14 or later version.
​Solid Edge SE2023: Update to V223.0 Update 4 or later version.
​Solid Edge SE2022: Update to V222.0 Update 13 or later version.
​Teamcenter Visualization V14.2: Update to V14.2.0.5 or later version.
​JT2Go: Update to V14.2.0.5 or later version.
​Teamcenter Visualization V14.1: Update to V14.1.0.11 or later version.
​Teamcenter Visualization V13.3: Update to V13.3.0.11 or later version.
​Teamcenter Visualization V13.2: Update to V13.2.0.15 or later version.

​Siemens identified the following specific workarounds and mitigations users can apply to reduce risk: 

​Avoid opening untrusted files in JT2Go, Teamcenter Visualization, and Solid Edge.

​As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following product manual recommendations.

​Additional information on Siemens industrial security can be found on the Siemens industrial security webpage.

​For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT.

​For more information, see the associated Siemens security advisory SSA-131450 in HTML and CSAF.

​CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

​CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

​Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

​Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

​CISA also recommends users take the following measures to protect themselves from social engineering attacks:

​Do not click web links or open attachments in unsolicited email messages.
​Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
​Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

​No known public exploits specifically target this these vulnerabilities. These vulnerabilities are not exploitable remotely.

Siemens OpenSSL RSA Decryption in SIMATIC

1. EXECUTIVE SUMMARY

​CVSS v3 5.9
​ATTENTION: Exploitable remotely
​Vendor: Siemens
​Equipment: SIMATIC, SIPLUS
​Vulnerability: Inadequate Encryption Strength

2. RISK EVALUATION

​Successful exploitation of this vulnerability could allow an attacker to recover the product’s connection secret.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

​The following products from Siemens are affected: 

​SIMATIC Cloud Connect 7 CC712 (6GK1411-1AC00): versions prior to V2.2
​SIMATIC Cloud Connect 7 CC716 (6GK1411-5AC00): versions prior to V2.2
​SIMATIC Drive Controller CPU 1504D TF (6ES7615-4DF10-0AB0): versions V3.0.1 to V3.0.3
​SIMATIC Drive Controller CPU 1504D TF (6ES7615-4DF10-0AB0): versions prior to V2.9.7
​SIMATIC Drive Controller CPU 1507D TF (6ES7615-7DF10-0AB0): versions V3.0.1 to V3.0.3
​SIMATIC Drive Controller CPU 1507D TF (6ES7615-7DF10-0AB0): versions prior to V2.9.7
​SIMATIC ET 200pro IM154-8 PN/DP CPU (6ES7154-8AB01-0AB0): versions prior to V3.2.19
​SIMATIC ET 200pro IM154-8F PN/DP CPU (6ES7154-8FB01-0AB0): versions prior to V3.2.19
​SIMATIC ET 200pro IM154-8FX PN/DP CPU (6ES7154-8FX00-0AB0): versions prior to V3.2.19
​SIMATIC ET 200S IM151-8 PN/DP CPU (6ES7151-8AB01-0AB0): versions prior to V3.2.19
​SIMATIC ET 200S IM151-8F PN/DP CPU (6ES7151-8FB01-0AB0): versions prior to V3.2.19
​SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants): all versions
​SIMATIC Logon V1.6: all versions
​SIMATIC PDM V9.1: all versions
​SIMATIC PDM V9.2: versions prior to V9.2 SP2 Upd1
​SIMATIC Process Historian 2019 OPC UA Server: all versions
​SIMATIC Process Historian 2020 OPC UA Server: all versions
​SIMATIC Process Historian 2022 OPC UA Server: all versions
​SIMATIC S7-1200 CPU family (incl. SIPLUS variants): all versions
​SIMATIC S7-1500 CPU 1510SP F-1 PN (6ES7510-1SJ00-0AB0): all versions
​SIMATIC S7-1500 CPU 1510SP F-1 PN (6ES7510-1SJ01-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1510SP F-1 PN (6ES7510-1SK03-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1510SP-1 PN (6ES7510-1DJ00-0AB0): all versions
​SIMATIC S7-1500 CPU 1510SP-1 PN (6ES7510-1DJ01-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1510SP-1 PN (6ES7510-1DK03-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK01-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK02-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK00-0AB0): all versions
​SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AL03-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK00-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK01-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK00-0AB0): all versions
​SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK01-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK02-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FL03-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TK01-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TL03-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UK01-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UL03-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK00-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK01-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1512SP F-1 PN (6ES7512-1SK00-0AB0): all versions
​SIMATIC S7-1500 CPU 1512SP F-1 PN (6ES7512-1SK01-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1512SP F-1 PN (6ES7512-1SM03-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1512SP-1 PN (6ES7512-1DK00-0AB0): all versions
​SIMATIC S7-1500 CPU 1512SP-1 PN (6ES7512-1DK01-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1512SP-1 PN (6ES7512-1DM03-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL00-0AB0): all versions
​SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL01-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL02-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AM03-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL00-0AB0): all versions
​SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL01-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL02-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FM03-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1513R-1 PN (6ES7513-1RL00-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1513R-1 PN (6ES7513-1RM03-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1514SP F-2 PN (6ES7514-2SN03-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1514SP-2 PN (6ES7514-2DN03-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1514SPT F-2 PN (6ES7514-2WN03-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1514SPT-2 PN (6ES7514-2VN03-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM00-0AB0): all versions
​SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM01-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM02-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AN03-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM00-0AB0): all versions
​SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM01-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM02-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FN03-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1515R-2 PN (6ES7515-2RM00-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1515R-2 PN (6ES7515-2RN03-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TM01-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TN03-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UM01-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UN03-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN00-0AB0): all versions
​SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN01-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN02-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AP03-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN00-0AB0): all versions
​SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN01-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN02-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FP03-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1516T-3 PN/DP (6ES7516-3TN00-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1516TF-3 PN/DP (6ES7516-3UN00-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1517-3 PN/DP (6ES7517-3AP00-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1517F-3 PN/DP (6ES7517-3FP00-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1517H-3 PN (6ES7517-3HP00-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1517T-3 PN/DP (6ES7517-3TP00-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1517TF-3 PN/DP (6ES7517-3UP00-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1518-4 PN/DP (6ES7518-4AP00-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1518F-4 PN/DP (6ES7518-4FP00-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1518HF-4 PN (6ES7518-4JP00-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1518T-4 PN/DP (6ES7518-4TP00-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU 1518TF-4 PN/DP (6ES7518-4UP00-0AB0): versions prior to V3.0.3
​SIMATIC S7-1500 CPU S7-1518-4 PN/DP ODK (6ES7518-4AP00-3AB0): versions prior to V2.9.7
​SIMATIC S7-1500 CPU S7-1518F-4 PN/DP ODK (6ES7518-4FP00-3AB0): versions prior to V2.9.7
​SIMATIC S7-1500 ET 200pro: CPU 1513PRO F-2 PN (6ES7513-2GL00-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 ET 200pro: CPU 1513PRO-2 PN (6ES7513-2PL00-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 ET 200pro: CPU 1516PRO F-2 PN (6ES7516-2GN00-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 ET 200pro: CPU 1516PRO-2 PN (6ES7516-2PN00-0AB0): versions prior to V2.9.7
​SIMATIC S7-1500 Software Controller: all versions
​SIMATIC S7-300 CPU 314C-2 PN/DP (6ES7314-6EH04-0AB0): versions prior to V3.3.19
​SIMATIC S7-300 CPU 315-2 PN/DP (6ES7315-2EH14-0AB0): versions prior to V3.2.19
​SIMATIC S7-300 CPU 315F-2 PN/DP (6ES7315-2FJ14-0AB0): versions prior to V3.2.19
​SIMATIC S7-300 CPU 315T-3 PN/DP (6ES7315-7TJ10-0AB0): versions prior to V3.2.19
​SIMATIC S7-300 CPU 317-2 PN/DP (6ES7317-2EK14-0AB0): versions prior to V3.2.19
​SIMATIC S7-300 CPU 317F-2 PN/DP (6ES7317-2FK14-0AB0): versions prior to V3.2.19
​SIMATIC S7-300 CPU 317T-3 PN/DP (6ES7317-7TK10-0AB0): versions prior to V3.2.19
​SIMATIC S7-300 CPU 317TF-3 PN/DP (6ES7317-7UL10-0AB0): versions prior to V3.2.19
​SIMATIC S7-300 CPU 319-3 PN/DP (6ES7318-3EL01-0AB0): versions prior to V3.2.19
​SIMATIC S7-300 CPU 319F-3 PN/DP (6ES7318-3FL01-0AB0): versions prior to V3.2.19
​SIMATIC S7-PLCSIM Advanced: all versions
​SIPLUS ET 200S IM151-8 PN/DP CPU (6AG1151-8AB01-7AB0): versions prior to V3.2.19
​SIPLUS ET 200S IM151-8F PN/DP CPU (6AG1151-8FB01-2AB0): versions prior to V3.2.19
​SIPLUS ET 200SP CPU 1510SP F-1 PN (6AG1510-1SJ01-2AB0): versions prior to V2.9.7
​SIPLUS ET 200SP CPU 1510SP F-1 PN RAIL (6AG2510-1SJ01-1AB0): versions prior to V2.9.7
​SIPLUS ET 200SP CPU 1510SP-1 PN (6AG1510-1DJ01-2AB0): versions prior to V2.9.7
​SIPLUS ET 200SP CPU 1510SP-1 PN (6AG1510-1DJ01-7AB0): versions prior to V2.9.7
​SIPLUS ET 200SP CPU 1510SP-1 PN RAIL (6AG2510-1DJ01-4AB0): versions prior to V2.9.7
​SIPLUS ET 200SP CPU 1510SP-1 PN RAIL (6AG2510-1DJ01-1AB0): versions prior to V2.9.7
​SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK00-2AB0): all versions
​SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK01-2AB0): versions prior to V2.9.7
​SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK01-7AB0): versions prior to V2.9.7
​SIPLUS ET 200SP CPU 1512SP F-1 PN RAIL (6AG2512-1SK01-1AB0): versions prior to V2.9.7
​SIPLUS ET 200SP CPU 1512SP F-1 PN RAIL (6AG2512-1SK01-4AB0): versions prior to V2.9.7
​SIPLUS ET 200SP CPU 1512SP-1 PN (6AG1512-1DK01-2AB0): versions prior to V2.9.7
​SIPLUS ET 200SP CPU 1512SP-1 PN (6AG1512-1DK01-7AB0): versions prior to V2.9.7
​SIPLUS ET 200SP CPU 1512SP-1 PN RAIL (6AG2512-1DK01-4AB0): versions prior to V2.9.7
​SIPLUS ET 200SP CPU 1512SP-1 PN RAIL (6AG2512-1DK01-1AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK00-2AB0): all versions
​SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK01-2AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK02-2AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK01-7AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK02-7AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL (6AG2511-1AK01-1AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL (6AG2511-1AK02-1AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1511-1 PN TX RAIL (6AG2511-1AK01-4AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1511-1 PN TX RAIL (6AG2511-1AK02-4AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK00-2AB0): all versions
​SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK01-2AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK02-2AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL00-2AB0): all versions
​SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL01-7AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL01-2AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL02-2AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL02-7AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL00-2AB0): all versions
​SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL01-2AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL02-2AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1515F-2 PN (6AG1515-2FM01-2AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1515F-2 PN (6AG1515-2FM02-2AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1515F-2 PN RAIL (6AG2515-2FM02-4AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1515F-2 PN T2 RAIL (6AG2515-2FM01-2AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1515R-2 PN (6AG1515-2RM00-7AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1515R-2 PN TX RAIL (6AG2515-2RM00-4AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN00-2AB0): all versions
​SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN00-7AB0): all versions
​SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN01-7AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN01-2AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN02-2AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN02-7AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1516-3 PN/DP RAIL (6AG2516-3AN02-4AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1516-3 PN/DP TX RAIL (6AG2516-3AN01-4AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN00-2AB0): all versions
​SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN02-2AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN01-2AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1516F-3 PN/DP RAIL (6AG2516-3FN02-2AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1516F-3 PN/DP RAIL (6AG2516-3FN02-4AB0): versions prior to V2.9.7
​SIPLUS S7-1500 CPU 1517H-3 PN (6AG1517-3HP00-4AB0): versions prior to V3.0.3
​SIPLUS S7-1500 CPU 1518-4 PN/DP (6AG1518-4AP00-4AB0): versions prior to V3.0.3
​SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0): versions prior to V3.0.3
​SIPLUS S7-1500 CPU 1518F-4 PN/DP (6AG1518-4FP00-4AB0): versions prior to V3.0.3
​SIPLUS S7-1500 CPU 1518HF-4 PN (6AG1518-4JP00-4AB0): versions prior to V3.0.3
​SIPLUS S7-300 CPU 314C-2 PN/DP (6AG1314-6EH04-7AB0): versions prior to V3.3.19
​SIPLUS S7-300 CPU 315-2 PN/DP (6AG1315-2EH14-7AB0): versions prior to V3.2.19
​SIPLUS S7-300 CPU 315F-2 PN/DP (6AG1315-2FJ14-2AB0): versions prior to V3.2.19
​SIPLUS S7-300 CPU 317-2 PN/DP (6AG1317-2EK14-7AB0): versions prior to V3.2.19
​SIPLUS S7-300 CPU 317F-2 PN/DP (6AG1317-2FK14-2AB0): versions prior to V3.2.19

3.2 VULNERABILITY OVERVIEW

3.2.1 ​INADEQUATE ENCRYPTION STRENGTH CWE-326

​A timing-based side channel exists in the OpenSSL RSA decryption implementation, which could be sufficient to recover a plaintext across a network in a Bleichenbacher style attack. An attacker could use this flaw to recover the pre-master secret used for the original connection and thus be able to decrypt the application data sent over that connection.

CVE-2022-4304 has been assigned to this vulnerability. A CVSS v3 base score of 5.9 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).

3.3 BACKGROUND

​CRITICAL INFRASTRUCTURE SECTORS: Multiple
​COUNTRIES/AREAS DEPLOYED: Worldwide
​COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

​Siemens reported this vulnerability to CISA.

4. MITIGATIONS

​Siemens has released updates for several affected products and recommends updating to the latest versions. Siemens is preparing further updates and recommends specific countermeasures for products where updates are not, or are not yet, available:

​SIMATIC Cloud Connect 7 CC712 (6GK1411-1AC00): Update to V2.2 or later.
​SIMATIC Cloud Connect 7 CC716 (6GK1411-5AC00): Update to V2.2 or later.
​SIMATIC Drive Controller CPU 1504D TF (6ES7615-4DF10-0AB0): Update to V3.0.3 or later.
​SIMATIC Drive Controller CPU 1504D TF (6ES7615-4DF10-0AB0): Update to V2.9.7 or later.
​SIMATIC Drive Controller CPU 1507D TF (6ES7615-7DF10-0AB0): Update to V3.0.3 or later.
​SIMATIC Drive Controller CPU 1507D TF (6ES7615-7DF10-0AB0): Update to V2.9.7 or later.
​SIMATIC ET 200pro IM154-8 PN/DP CPU (6ES7154-8AB01-0AB0): Update to V3.2.19 or later
​SIMATIC ET 200pro IM154-8F PN/DP CPU (6ES7154-8FB01-0AB0): Update to V3.2.19 or later.
​SIMATIC ET 200pro IM154-8FX PN/DP CPU (6ES7154-8FX00-0AB0): Update to V3.2.19 or later.
​SIMATIC ET 200S IM151-8 PN/DP CPU (6ES7151-8AB01-0AB0): Update to V3.2.19 or later.
​SIMATIC ET 200S IM151-8F PN/DP CPU (6ES7151-8FB01-0AB0): Update to V3.2.19 or later.
​SIMATIC PDM V9.2: Update to V9.2 SP2 Upd1 or later.
​SIMATIC S7-1500 CPU 1510SP F-1 PN (6ES7510-1SJ01-0AB0): Update to V2.9.7 or later.
​SIMATIC S7-1500 CPU 1510SP F-1 PN (6ES7510-1SK03-0AB0): Update to V3.0.3 or later.
​SIMATIC S7-1500 CPU 1510SP-1 PN (6ES7510-1DJ01-0AB0): Update to V2.9.7 or later.
​SIMATIC S7-1500 CPU 1510SP-1 PN (6ES7510-1DK03-0AB0): Update to V3.0.3 or later.
​SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK01-0AB0): Update to V2.9.7 or later.
​SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AK02-0AB0): Update to V2.9.7 or later.
​SIMATIC S7-1500 CPU 1511-1 PN (6ES7511-1AL03-0AB0): Update to V3.0.3 or later.
​SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK00-0AB0): Update to V2.9.7 or later.
​SIMATIC S7-1500 CPU 1511C-1 PN (6ES7511-1CK01-0AB0): Update to V2.9.7 or later.
​SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK01-0AB0): Update to V2.9.7 or later.
​SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FK02-0AB0): Update to V2.9.7 or later.
​SIMATIC S7-1500 CPU 1511F-1 PN (6ES7511-1FL03-0AB0): Update to V3.0.3 or later.
​SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TK01-0AB0): Update to V2.9.7 or later.
​SIMATIC S7-1500 CPU 1511T-1 PN (6ES7511-1TL03-0AB0): Update to V3.0.3 or later.
​SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UK01-0AB0): Update to V2.9.7 or later.
​SIMATIC S7-1500 CPU 1511TF-1 PN (6ES7511-1UL03-0AB0): Update to V3.0.3 or later.
​SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK00-0AB0): Update to V2.9.7 or later.
​SIMATIC S7-1500 CPU 1512C-1 PN (6ES7512-1CK01-0AB0): Update to V2.9.7 or later.
​SIMATIC S7-1500 CPU 1512SP F-1 PN (6ES7512-1SK01-0AB0): Update to V2.9.7 or later.
​SIMATIC S7-1500 CPU 1512SP F-1 PN (6ES7512-1SM03-0AB0): Update to V3.0.3 or later.
​SIMATIC S7-1500 CPU 1512SP-1 PN (6ES7512-1DK01-0AB0): Update to V2.9.7 or later.
​SIMATIC S7-1500 CPU 1512SP-1 PN (6ES7512-1DM03-0AB0): Update to V3.0.3 or later.
​SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL01-0AB0): Update to V2.9.7 or later.
​SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AL02-0AB0): Update to V2.9.7 or later.
​SIMATIC S7-1500 CPU 1513-1 PN (6ES7513-1AM03-0AB0): Update to V3.0.3 or later.
​SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL01-0AB0): Update to V2.9.7 or later.
​SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FL02-0AB0): Update to V2.9.7 or later.
​SIMATIC S7-1500 CPU 1513F-1 PN (6ES7513-1FM03-0AB0): Update to V3.0.3 or later.
​SIMATIC S7-1500 CPU 1513R-1 PN (6ES7513-1RL00-0AB0): Update to V2.9.7 or later.
​SIMATIC S7-1500 CPU 1513R-1 PN (6ES7513-1RM03-0AB0): Update to V3.0.3 or later.
​SIMATIC S7-1500 CPU 1514SP F-2 PN (6ES7514-2SN03-0AB0): Update to V3.0.3 or later.
​SIMATIC S7-1500 CPU 1514SP-2 PN (6ES7514-2DN03-0AB0): Update to V3.0.3 or later.
​SIMATIC S7-1500 CPU 1514SPT F-2 PN (6ES7514-2WN03-0AB0): Update to V3.0.3 or later.
​SIMATIC S7-1500 CPU 1514SPT-2 PN (6ES7514-2VN03-0AB0): Update to V3.0.3 or later.
​SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM01-0AB0): Update to V2.9.7 or later.
​SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AM02-0AB0): Update to V2.9.7 or later.
​SIMATIC S7-1500 CPU 1515-2 PN (6ES7515-2AN03-0AB0): Update to V3.0.3 or later.
​SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM01-0AB0): Update to V2.9.7 or later.
​SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FM02-0AB0): Update to V2.9.7 or later.
​SIMATIC S7-1500 CPU 1515F-2 PN (6ES7515-2FN03-0AB0): Update to V3.0.3 or later.
​SIMATIC S7-1500 CPU 1515R-2 PN (6ES7515-2RM00-0AB0): Update to V2.9.7 or later.
​SIMATIC S7-1500 CPU 1515R-2 PN (6ES7515-2RN03-0AB0): Update to V3.0.3 or later.
​SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TM01-0AB0): Update to V2.9.7 or later.
​SIMATIC S7-1500 CPU 1515T-2 PN (6ES7515-2TN03-0AB0): Update to V3.0.3 or later.
​SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UM01-0AB0): Update to V2.9.7 or later.
​SIMATIC S7-1500 CPU 1515TF-2 PN (6ES7515-2UN03-0AB0): Update to V3.0.3 or later.
​SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN01-0AB0): Update to V2.9.7 or later.
​SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AN02-0AB0): Update to V2.9.7 or later.
​SIMATIC S7-1500 CPU 1516-3 PN/DP (6ES7516-3AP03-0AB0): Update to V3.0.3 or later.
​SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN01-0AB0): Update to V2.9.7 or later.
​SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FN02-0AB0): Update to V2.9.7 or later.
​SIMATIC S7-1500 CPU 1516F-3 PN/DP (6ES7516-3FP03-0AB0): Update to V3.0.3 or later.
​SIMATIC S7-1500 CPU 1516T-3 PN/DP (6ES7516-3TN00-0AB0): Update to V3.0.3 or later.
​SIMATIC S7-1500 CPU 1516TF-3 PN/DP (6ES7516-3UN00-0AB0): Update to V3.0.3 or later
​SIMATIC S7-1500 CPU 1517-3 PN/DP (6ES7517-3AP00-0AB0): Update to V3.0.3 or later.
​SIMATIC S7-1500 CPU 1517F-3 PN/DP (6ES7517-3FP00-0AB0): Update to V3.0.3 or later.
​SIMATIC S7-1500 CPU 1517H-3 PN (6ES7517-3HP00-0AB0): Update to V3.0.3 or later.
​SIMATIC S7-1500 CPU 1517T-3 PN/DP (6ES7517-3TP00-0AB0): Update to V3.0.3 or later.
​SIMATIC S7-1500 CPU 1517TF-3 PN/DP (6ES7517-3UP00-0AB0): Update to V3.0.3 or later.
​SIMATIC S7-1500 CPU 1518-4 PN/DP (6ES7518-4AP00-0AB0): Update to V3.0.3 or later.
​SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (6ES7518-4AX00-1AB0): Update to V3.0.3 or later.
​SIMATIC S7-1500 CPU 1518F-4 PN/DP (6ES7518-4FP00-0AB0): Update to V3.0.3 or later.
​SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AB0): Update to V3.0.3 or later.
​SIMATIC S7-1500 CPU 1518HF-4 PN (6ES7518-4JP00-0AB0): Update to V3.0.3 or later.
​SIMATIC S7-1500 CPU 1518T-4 PN/DP (6ES7518-4TP00-0AB0): Update to V3.0.3 or later.
​SIMATIC S7-1500 CPU 1518TF-4 PN/DP (6ES7518-4UP00-0AB0): Update to V3.0.3 or later.
​SIMATIC S7-1500 CPU S7-1518-4 PN/DP ODK (6ES7518-4AP00-3AB0): Update to V2.9.7 or later.
​SIMATIC S7-1500 CPU S7-1518F-4 PN/DP ODK (6ES7518-4FP00-3AB0): Update to V2.9.7 or later.
​SIMATIC S7-1500 ET 200pro: CPU 1513PRO F-2 PN (6ES7513-2GL00-0AB0): Update to V2.9.7 or later.
​SIMATIC S7-1500 ET 200pro: CPU 1513PRO-2 PN (6ES7513-2PL00-0AB0): Update to V2.9.7 or later.
​SIMATIC S7-1500 ET 200pro: CPU 1516PRO F-2 PN (6ES7516-2GN00-0AB0): Update to V2.9.7 or later.
​SIMATIC S7-1500 ET 200pro: CPU 1516PRO-2 PN (6ES7516-2PN00-0AB0): Update to V2.9.7 or later.
​SIMATIC S7-300 CPU 314C-2 PN/DP (6ES7314-6EH04-0AB0): Update to V3.3.19 or later.
​SIMATIC S7-300 CPU 315-2 PN/DP (6ES7315-2EH14-0AB0): Update to V3.2.19 or later.
​SIMATIC S7-300 CPU 315F-2 PN/DP (6ES7315-2FJ14-0AB0): Update to V3.2.19 or later.
​SIMATIC S7-300 CPU 315T-3 PN/DP (6ES7315-7TJ10-0AB0): Update to V3.2.19 or later.
​SIMATIC S7-300 CPU 317-2 PN/DP (6ES7317-2EK14-0AB0): Update to V3.2.19 or later.
​SIMATIC S7-300 CPU 317F-2 PN/DP (6ES7317-2FK14-0AB0): Update to V3.2.19 or later.
​SIMATIC S7-300 CPU 317T-3 PN/DP (6ES7317-7TK10-0AB0): Update to V3.2.19 or later.
​SIMATIC S7-300 CPU 317TF-3 PN/DP (6ES7317-7UL10-0AB0): Update to V3.2.19 or later.
​SIMATIC S7-300 CPU 319-3 PN/DP (6ES7318-3EL01-0AB0): Update to V3.2.19 or later.
​SIMATIC S7-300 CPU 319F-3 PN/DP (6ES7318-3FL01-0AB0): Update to V3.2.19 or later.
​SIPLUS ET 200S IM151-8 PN/DP CPU (6AG1151-8AB01-7AB0): Update to V3.2.19 or later.
​SIPLUS ET 200S IM151-8F PN/DP CPU (6AG1151-8FB01-2AB0): Update to V3.2.19 or later.
​SIPLUS ET 200SP CPU 1510SP F-1 PN (6AG1510-1SJ01-2AB0): Update to V2.9.7 or later.
​SIPLUS ET 200SP CPU 1510SP F-1 PN RAIL (6AG2510-1SJ01-1AB0): Update to V2.9.7 or later.
​SIPLUS ET 200SP CPU 1510SP-1 PN (6AG1510-1DJ01-2AB0): Update to V2.9.7 or later.
​SIPLUS ET 200SP CPU 1510SP-1 PN (6AG1510-1DJ01-7AB0): Update to V2.9.7 or later.
​SIPLUS ET 200SP CPU 1510SP-1 PN RAIL (6AG2510-1DJ01-4AB0): Update to V2.9.7 or later.
​SIPLUS ET 200SP CPU 1510SP-1 PN RAIL (6AG2510-1DJ01-1AB0): Update to V2.9.7 or later.
​SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK01-2AB0): Update to V2.9.7 or later.
​SIPLUS ET 200SP CPU 1512SP F-1 PN (6AG1512-1SK01-7AB0): Update to V2.9.7 or later.
​SIPLUS ET 200SP CPU 1512SP F-1 PN RAIL (6AG2512-1SK01-1AB0): Update to V2.9.7 or later.
​SIPLUS ET 200SP CPU 1512SP F-1 PN RAIL (6AG2512-1SK01-4AB0): Update to V2.9.7 or later.
​SIPLUS ET 200SP CPU 1512SP-1 PN (6AG1512-1DK01-2AB0): Update to V2.9.7 or later.
​SIPLUS ET 200SP CPU 1512SP-1 PN (6AG1512-1DK01-7AB0): Update to V2.9.7 or later.
​SIPLUS ET 200SP CPU 1512SP-1 PN RAIL (6AG2512-1DK01-4AB0): Update to V2.9.7 or later.
​SIPLUS ET 200SP CPU 1512SP-1 PN RAIL (6AG2512-1DK01-1AB0): Update to V2.9.7 or later.
​SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK01-2AB0): Update to V2.9.7 or later.
​SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK02-2AB0): Update to V2.9.7 or later.
​SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK01-7AB0): Update to V2.9.7 or later.
​SIPLUS S7-1500 CPU 1511-1 PN (6AG1511-1AK02-7AB0): Update to V2.9.7 or later.
​SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL (6AG2511-1AK01-1AB0): Update to V2.9.7 or later.
​SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL (6AG2511-1AK02-1AB0): Update to V2.9.7 or later.
​SIPLUS S7-1500 CPU 1511-1 PN TX RAIL (6AG2511-1AK01-4AB0): Update to V2.9.7 or later.
​SIPLUS S7-1500 CPU 1511-1 PN TX RAIL (6AG2511-1AK02-4AB0): Update to V2.9.7 or later.
​SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK01-2AB0): Update to V2.9.7 or later.
​SIPLUS S7-1500 CPU 1511F-1 PN (6AG1511-1FK02-2AB0): Update to V2.9.7 or later.
​SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL01-7AB0): Update to V2.9.7 or later.
​SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL01-2AB0): Update to V2.9.7 or later.
​SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL02-2AB0): Update to V2.9.7 or later.
​SIPLUS S7-1500 CPU 1513-1 PN (6AG1513-1AL02-7AB0): Update to V2.9.7 or later.
​SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL01-2AB0): Update to V2.9.7 or later.
​SIPLUS S7-1500 CPU 1513F-1 PN (6AG1513-1FL02-2AB0): Update to V2.9.7 or later.
​SIPLUS S7-1500 CPU 1515F-2 PN (6AG1515-2FM01-2AB0): Update to V2.9.7 or later.
​SIPLUS S7-1500 CPU 1515F-2 PN (6AG1515-2FM02-2AB0): Update to V2.9.7 or later.
​SIPLUS S7-1500 CPU 1515F-2 PN RAIL (6AG2515-2FM02-4AB0): Update to V2.9.7 or later.
​SIPLUS S7-1500 CPU 1515F-2 PN T2 RAIL (6AG2515-2FM01-2AB0): Update to V2.9.7 or later.
​SIPLUS S7-1500 CPU 1515R-2 PN (6AG1515-2RM00-7AB0): Update to V2.9.7 or later.
​SIPLUS S7-1500 CPU 1515R-2 PN TX RAIL (6AG2515-2RM00-4AB0): Update to V2.9.7 or later.
​SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN01-7AB0): Update to V2.9.7 or later.
​SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN01-2AB0): Update to V2.9.7 or later.
​SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN02-2AB0): Update to V2.9.7 or later.
​SIPLUS S7-1500 CPU 1516-3 PN/DP (6AG1516-3AN02-7AB0): Update to V2.9.7 or later.
​SIPLUS S7-1500 CPU 1516-3 PN/DP RAIL (6AG2516-3AN02-4AB0): Update to V2.9.7 or later.
​SIPLUS S7-1500 CPU 1516-3 PN/DP TX RAIL (6AG2516-3AN01-4AB0): Update to V2.9.7 or later.
​SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN02-2AB0): Update to V2.9.7 or later.
​SIPLUS S7-1500 CPU 1516F-3 PN/DP (6AG1516-3FN01-2AB0): Update to V2.9.7 or later.
​SIPLUS S7-1500 CPU 1516F-3 PN/DP RAIL (6AG2516-3FN02-2AB0): Update to V2.9.7 or later.
​SIPLUS S7-1500 CPU 1516F-3 PN/DP RAIL (6AG2516-3FN02-4AB0): Update to V2.9.7 or later.
​SIPLUS S7-1500 CPU 1517H-3 PN (6AG1517-3HP00-4AB0): Update to V3.0.3 or later.
​SIPLUS S7-1500 CPU 1518-4 PN/DP (6AG1518-4AP00-4AB0): Update to V3.0.3 or later.
​SIPLUS S7-1500 CPU 1518-4 PN/DP MFP (6AG1518-4AX00-4AC0): Update to V3.0.3 or later.
​SIPLUS S7-1500 CPU 1518F-4 PN/DP (6AG1518-4FP00-4AB0): Update to V3.0.3 or later.
​SIPLUS S7-1500 CPU 1518HF-4 PN (6AG1518-4JP00-4AB0): Update to V3.0.3 or later.
​SIPLUS S7-300 CPU 314C-2 PN/DP (6AG1314-6EH04-7AB0): Update to V3.3.19 or later.
​SIPLUS S7-300 CPU 315-2 PN/DP (6AG1315-2EH14-7AB0): Update to V3.2.19 or later.
​SIPLUS S7-300 CPU 315F-2 PN/DP (6AG1315-2FJ14-2AB0): Update to V3.2.19 or later.
​SIPLUS S7-300 CPU 317-2 PN/DP (6AG1317-2EK14-7AB0): Update to V3.2.19 or later.
​SIPLUS S7-300 CPU 317F-2 PN/DP (6AG1317-2FK14-2AB0): Update to V3.2.19 or later.

​Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

​As a mitigation for vulnerable versions: disable the web server.
​If possible, avoid the use of RSA based certificates in TLS communication and use ECC based certificates instead.

​As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to the Siemens’ operational guidelines for industrial security and following product manual recommendations. Additional information on Siemens industrial security can be found on the Siemens industrial security webpage.

​For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT.

​For more information, see the associated Siemens security advisory SSA-264814 in HTML and CSAF.

​CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:

​Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
​Locate control system networks and remote devices behind firewalls and isolate them from business networks.
​When remote access is required, use secure methods, such as virtual private networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

​CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

​CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

​Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

​Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

​No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time. This vulnerability has a high attack complexity.

Siemens Parasolid and Teamcenter Visualization

1. EXECUTIVE SUMMARY

CVSS v3 7.8
ATTENTION: Low attack complexity
Vendor: Siemens
Equipment: Parasolid and Teamcenter Visualization
Vulnerabilities: NULL Pointer Dereference, Out-of-bounds Read, Out-of-bounds Write, Allocation of Resources without Limits or Throttling

2. RISK EVALUATION

An attacker could successfully exploit these vulnerabilities by tricking a user into opening a malicious file, allowing the attacker to cause a denial of service or perform remote code execution in the context of the current process.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports that the following products are affected:

Parasolid V34.1: versions prior to V34.1.258
Parasolid V35.0: versions prior to V35.0.254
Parasolid V35.1: versions prior to V35.1.171
Parasolid V35.1: versions prior to V35.1.197
Parasolid V35.1: versions prior to V35.1.184
Teamcenter Visualization V14.1: all versions
Teamcenter Visualization V14.2: versions prior to V14.2.0.6
Teamcenter Visualization V14.3: all versions

3.2 VULNERABILITY OVERVIEW

3.2.1 NULL POINTER DEREFERENCE CWE-476

The affected applications contain null pointer dereference while parsing specially crafted X_T files. This could allow an attacker to execute code in the context of the current process.

CVE-2023-38524 has been assigned to this vulnerability. A CVSS v3 base score of 3.3 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L).

3.2.2 OUT-OF-BOUNDS READ CWE-125

The affected applications contain an out-of-bounds read past the end of an allocated structure while parsing specially crafted X_T files. This could allow an attacker to execute code in the context of the current process.

CVE-2023-38525 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.3 OUT-OF-BOUNDS READ CWE-125

The affected applications contain an out-of-bounds read past the end of an allocated structure while parsing specially crafted X_T files. This could allow an attacker to execute code in the context of the current process.

CVE-2023-38526 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.4 OUT-OF-BOUNDS READ CWE-125

The affected applications contain an out-of-bounds read past the end of an allocated structure while parsing specially crafted X_T files. This could allow an attacker to execute code in the context of the current process.

CVE-2023-38527 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.5 OUT-OF-BOUNDS READ CWE-125

The affected applications contain an out-of-bounds read past the end of an allocated structure while parsing specially crafted X_T files. This could allow an attacker to execute code in the context of the current process.

CVE-2023-38529 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.6 OUT-OF-BOUNDS READ CWE-125

The affected applications contain an out-of-bounds read past the end of an allocated structure while parsing specially crafted X_T files. This could allow an attacker to execute code in the context of the current process.

CVE-2023-38530 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.7 OUT-OF-BOUNDS READ CWE-125

The affected applications contain an out-of-bounds read past the end of an allocated structure while parsing specially crafted X_T files. This could allow an attacker to execute code in the context of the current process.

CVE-2023-38531 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.8 OUT-OF-BOUNDS WRITE CWE-787

The affected application contains an out-of-bounds write past the end of an allocated buffer while parsing a specially crafted X_T file. This could allow an attacker to execute code in the context of the current process.

CVE-2023-38528 has been assigned to this vulnerability. A CVSS v3 base score of 7.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

3.2.9 ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770

The affected application contains a stack exhaustion vulnerability while parsing a specially crafted X_T file. This could allow an attacker to cause denial of service condition.

CVE-2023-38532 has been assigned to this vulnerability. A CVSS v3 base score of 6.6 has been calculated; the CVSS vector string is (CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:H).

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
COUNTRIES/AREAS DEPLOYED: Worldwide
COMPANY HEADQUARTERS LOCATION: Germany

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA.

4. MITIGATIONS

Siemens released updates for several affected products and recommends updating to the latest versions. Siemens is preparing further updates for Teamcenter Visualization V14.1 and V14.3; fixes are planned for the next patch release:

Parasolid V34.1: Update to V34.1.258 or later version.
Parasolid V35.0: Update to V35.0.254 or later version.
Parasolid V35.1: Update to V35.1.171 or later version.
Parasolid V35.1: Update to V35.1.197 or later version.
Parasolid V35.1: Update to V35.1.184 or later version.
Teamcenter Visualization V14.2: Update to V14.2.0.6 or later version.

Siemens identified the following specific workaround/mitigation users can apply to reduce risk: 

Do not open untrusted X_T files in Parasolid or Teamcenter Visualization.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to the Siemens’ operational guidelines for industrial security and following recommendations in the product manuals. Additional information on Siemens industrial security can be found on the Siemens industrial security webpage.

For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT.

For more information, see the associated Siemens security advisory SSA-407785 in HTML and CSAF.

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks:

Do not click web links or open attachments in unsolicited email messages.
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams.
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks.

No known public exploitation specifically targeting these vulnerabilities has been reported to CISA at this time. These vulnerabilities are not exploitable remotely. These vulnerabilities have low attack complexity.