As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity 
Vendor: Siemens  
Equipment: SCALANCE X-200, X-200IRT, and X-300 Switch Families 
Vulnerabilities: Integer Overflow or Wraparound 

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could lead to memory corruption. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

Siemens reports these vulnerabilities affect the following SCALANCE Switch Family products: 

SCALANCE X200-4P IRT (6GK5200-4AH00-2BA3): All versions prior to V5.5.2 
SCALANCE X201-3P IRT (6GK5201-3BH00-2BA3): All versions prior to V5.5.2 
SCALANCE X201-3P IRT PRO (6GK5201-3JR00-2BA6): All versions prior to V5.5.2 
SCALANCE X202-2IRT (6GK5202-2BB00-2BA3): All versions prior to V5.5.2 
SCALANCE X202-2IRT (6GK5202-2BB10-2BA3): All versions prior to V5.5.2 
SCALANCE X202-2P IRT (6GK5202-2BH00-2BA3): All versions prior to V5.5.2 
SCALANCE X202-2P IRT PRO (6GK5202-2JR00-2BA6): All versions prior to V5.5.2 
SCALANCE X204-2 (6GK5204-2BB10-2AA3): All versions prior to V5.2.6 
SCALANCE X204-2FM (6GK5204-2BB11-2AA3): All versions prior to V5.2.6 
SCALANCE X204-2LD (6GK5204-2BC10-2AA3): All versions prior to V5.2.6 
SCALANCE X204-2LD TS (6GK5204-2BC10-2CA2): All versions prior to V5.2.6 
SCALANCE X204-2TS (6GK5204-2BB10-2CA2): All versions prior to V5.2.6 
SCALANCE X204IRT (6GK5204-0BA00-2BA3): All versions prior to V5.5.2 
SCALANCE X204IRT (6GK5204-0BA10-2BA3): All versions prior to V5.5.2 
SCALANCE X204IRT PRO (6GK5204-0JA00-2BA6): All versions prior to V5.5.2 
SCALANCE X206-1 (6GK5206-1BB10-2AA3): All versions prior to V5.2.6 
SCALANCE X206-1LD (6GK5206-1BC10-2AA3): All versions prior to V5.2.6 
SCALANCE X208 (6GK5208-0BA10-2AA3): All versions prior to V5.2.6 
SCALANCE X208PRO (6GK5208-0HA10-2AA6): All versions prior to V5.2.6 
SCALANCE X212-2 (6GK5212-2BB00-2AA3): All versions prior to V5.2.6 
SCALANCE X212-2LD (6GK5212-2BC00-2AA3): All versions prior to V5.2.6 
SCALANCE X216 (6GK5216-0BA00-2AA3): All versions prior to V5.2.6 
SCALANCE X224 (6GK5224-0BA00-2AA3): All versions prior to V5.2.6 
SCALANCE X302-7 EEC (230V, coated) (6GK5302-7GD00-3GA3): All versions 
SCALANCE X302-7 EEC (230V) (6GK5302-7GD00-3EA3): All versions 
SCALANCE X302-7 EEC (24V, coated) (6GK5302-7GD00-1GA3): All versions 
SCALANCE X302-7 EEC (24V) (6GK5302-7GD00-1EA3): All versions 
SCALANCE X302-7 EEC (2x 230V, coated) (6GK5302-7GD00-4GA3): All versions 
SCALANCE X302-7 EEC (2x 230V) (6GK5302-7GD00-4EA3): All versions 
SCALANCE X302-7 EEC (2x 24V, coated) (6GK5302-7GD00-2GA3): All versions 
SCALANCE X302-7 EEC (2x 24V) (6GK5302-7GD00-2EA3): All versions 
SCALANCE X304-2FE (6GK5304-2BD00-2AA3): All versions 
SCALANCE X306-1LD FE (6GK5306-1BF00-2AA3): All versions 
SCALANCE X307-2 EEC (230V, coated) (6GK5307-2FD00-3GA3): All versions 
SCALANCE X307-2 EEC (230V) (6GK5307-2FD00-3EA3): All versions 
SCALANCE X307-2 EEC (24V, coated) (6GK5307-2FD00-1GA3): All versions 
SCALANCE X307-2 EEC (24V) (6GK5307-2FD00-1EA3): All versions 
SCALANCE X307-2 EEC (2x 230V, coated) (6GK5307-2FD00-4GA3): All versions 
SCALANCE X307-2 EEC (2x 230V) (6GK5307-2FD00-4EA3): All versions 
SCALANCE X307-2 EEC (2x 24V, coated) (6GK5307-2FD00-2GA3): All versions 
SCALANCE X307-2 EEC (2x 24V) (6GK5307-2FD00-2EA3): All versions 
SCALANCE X307-3 (6GK5307-3BL00-2AA3): All versions 
SCALANCE X307-3 (6GK5307-3BL10-2AA3): All versions 
SCALANCE X307-3LD (6GK5307-3BM00-2AA3): All versions 
SCALANCE X307-3LD (6GK5307-3BM10-2AA3): All versions 
SCALANCE X308-2 (6GK5308-2FL00-2AA3): All versions 
SCALANCE X308-2 (6GK5308-2FL10-2AA3): All versions 
SCALANCE X308-2LD (6GK5308-2FM00-2AA3): All versions 
SCALANCE X308-2LD (6GK5308-2FM10-2AA3): All versions 
SCALANCE X308-2LH (6GK5308-2FN00-2AA3): All versions 
SCALANCE X308-2LH (6GK5308-2FN10-2AA3): All versions 
SCALANCE X308-2LH+ (6GK5308-2FP00-2AA3): All versions 
SCALANCE X308-2LH+ (6GK5308-2FP10-2AA3): All versions 
SCALANCE X308-2M (6GK5308-2GG00-2AA2): All versions 
SCALANCE X308-2M (6GK5308-2GG10-2AA2): All versions 
SCALANCE X308-2M PoE (6GK5308-2QG00-2AA2): All versions 
SCALANCE X308-2M PoE (6GK5308-2QG10-2AA2): All versions 
SCALANCE X308-2M TS (6GK5308-2GG00-2CA2): All versions 
SCALANCE X308-2M TS (6GK5308-2GG10-2CA2): All versions 
SCALANCE X310 (6GK5310-0FA00-2AA3): All versions 
SCALANCE X310 (6GK5310-0FA10-2AA3): All versions 
SCALANCE X310FE (6GK5310-0BA00-2AA3): All versions 
SCALANCE X310FE (6GK5310-0BA10-2AA3): All versions 
SCALANCE X320-1 FE (6GK5320-1BD00-2AA3): All versions 
SCALANCE X320-1-2LD FE (6GK5320-3BF00-2AA3): All versions 
SCALANCE X408-2 (6GK5408-2FD00-2AA2): All versions 
SCALANCE XF201-3P IRT (6GK5201-3BH00-2BD2): All versions prior to V5.5.2 
SCALANCE XF202-2P IRT (6GK5202-2BH00-2BD2): All versions prior to V5.5.2 
SCALANCE XF204 (6GK5204-0BA00-2AF2): All versions prior to V5.2.6 
SCALANCE XF204-2 (6GK5204-2BC00-2AF2): All versions prior to V5.2.6 
SCALANCE XF204-2BA IRT (6GK5204-2AA00-2BD2): All versions prior to V5.5.2 
SCALANCE XF204IRT (6GK5204-0BA00-2BF2): All versions prior to V5.5.2 
SCALANCE XF206-1 (6GK5206-1BC00-2AF2): All versions prior to V5.2.6 
SCALANCE XF208 (6GK5208-0BA00-2AF2): All versions prior to V5.2.6 
SCALANCE XR324-12M (230V, ports on front) (6GK5324-0GG00-3AR2): All versions 
SCALANCE XR324-12M (230V, ports on front) (6GK5324-0GG10-3AR2): All versions 
SCALANCE XR324-12M (230V, ports on rear) (6GK5324-0GG00-3HR2): All versions 
SCALANCE XR324-12M (230V, ports on rear) (6GK5324-0GG10-3HR2): All versions 
SCALANCE XR324-12M (24V, ports on front) (6GK5324-0GG00-1AR2): All versions 
SCALANCE XR324-12M (24V, ports on front) (6GK5324-0GG10-1AR2): All versions 
SCALANCE XR324-12M (24V, ports on rear) (6GK5324-0GG00-1HR2): All versions 
SCALANCE XR324-12M (24V, ports on rear) (6GK5324-0GG10-1HR2): All versions 
SCALANCE XR324-12M TS (24V) (6GK5324-0GG00-1CR2): All versions 
SCALANCE XR324-12M TS (24V) (6GK5324-0GG10-1CR2): All versions 
SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on front) (6GK5324-4GG00-3ER2): All versions 
SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on front) (6GK5324-4GG10-3ER2): All versions 
SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on rear) (6GK5324-4GG00-3JR2): All versions 
SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on rear) (6GK5324-4GG10-3JR2): All versions 
SCALANCE XR324-4M EEC (24V, ports on front) (6GK5324-4GG00-1ER2): All versions 
SCALANCE XR324-4M EEC (24V, ports on front) (6GK5324-4GG10-1ER2): All versions 
SCALANCE XR324-4M EEC (24V, ports on rear) (6GK5324-4GG00-1JR2): All versions 
SCALANCE XR324-4M EEC (24V, ports on rear) (6GK5324-4GG10-1JR2): All versions 
SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on front) (6GK5324-4GG00-4ER2): All versions 
SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on front) (6GK5324-4GG10-4ER2): All versions 
SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on rear) (6GK5324-4GG00-4JR2): All versions 
SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on rear) (6GK5324-4GG10-4JR2): All versions 
SCALANCE XR324-4M EEC (2x 24V, ports on front) (6GK5324-4GG00-2ER2): All versions 
SCALANCE XR324-4M EEC (2x 24V, ports on front) (6GK5324-4GG10-2ER2): All versions 
SCALANCE XR324-4M EEC (2x 24V, ports on rear) (6GK5324-4GG00-2JR2): All versions 
SCALANCE XR324-4M EEC (2x 24V, ports on rear) (6GK5324-4GG10-2JR2): All versions 
SCALANCE XR324-4M PoE (230V, ports on front) (6GK5324-4QG00-3AR2): All versions 
SCALANCE XR324-4M PoE (230V, ports on rear) (6GK5324-4QG00-3HR2): All versions 
SCALANCE XR324-4M PoE (24V, ports on front) (6GK5324-4QG00-1AR2): All versions 
SCALANCE XR324-4M PoE (24V, ports on rear) (6GK5324-4QG00-1HR2): All versions 
SCALANCE XR324-4M PoE TS (24V, ports on front) (6GK5324-4QG00-1CR2): All versions 
SIPLUS NET SCALANCE X202-2P IRT (6AG1202-2BH00-2BA3): All versions prior to V5.5.2 
SIPLUS NET SCALANCE X308-2 (6AG1308-2FL10-4AA3): All versions 

3.2 VULNERABILITY OVERVIEW

3.2.1 INTEGER OVERFLOW OR WRAPAROUND CWE-190 

In Wind River VxWorks, the memory allocator has a possible overflow in calculating the memory block’s size to be allocated by calloc(). As a result, the actual memory allocated is smaller than the buffer size specified by the arguments, leading to memory corruption. 

CVE-2020-28895 has been assigned to this vulnerability. A CVSS v3 base score of 7.3 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). 

3.2.2 INTEGER OVERFLOW OR WRAPAROUND CWE-190 

In Wind River VxWorks, the memory allocator has a possible integer overflow in calculating a memory block’s size to be allocated by calloc(). As a result, the actual memory allocated is smaller than the buffer size specified by the arguments, leading to memory corruption. 

CVE-2020-35198 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been assigned; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple 
COUNTRIES/AREAS DEPLOYED: Worldwide 
COMPANY HEADQUARTERS LOCATION: Germany 

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA. 

4. MITIGATIONS

Siemens has released a new firmware version for SCALANCE X-200 and X-200 IRT switches that address “Bad Alloc” vulnerabilities in the underlying operating system and recommends updating to the latest versions. Siemens recommends countermeasures for products where updates are not, or not yet available: 

Update to V5.2.6 or later version.  
Update to V5.5.2 or later version.  

As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and to follow the recommendations in the product manuals. Additional information on industrial security by Siemens can be found on the Siemens Industrial Security web page. 

For further inquiries on security vulnerabilities in Siemens products and solutions, users should contact the Siemens ProductCERT.  

For more information, see the associated Siemens security advisory SSA-813746 in HTML and CSAF. 

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target these vulnerabilities. These vulnerabilities are exploitable remotely. These vulnerabilities have low attack complexity. 

1. EXECUTIVE SUMMARY

CVSS v3 7.5
ATTENTION: Exploitable remotely/low attack complexity 
Vendor: Mitsubishi Electric India 
Equipment: GC-ENET-COM 
Vulnerability: Signal Handler Race Condition  

2. RISK EVALUATION

Successful exploitation of this vulnerability could lead to a communication error and may result in a denial-of-service condition.  

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Mitsubishi Electric India Ethernet communication Extension unit GC-ENET-COM, are affected: 

Mitsubishi Electric India GC-ENET-COM: Models with the beginning serial number 16XXXXXXXXX. 

3.2 VULNERABILITY OVERVIEW

3.2.1 SIGNAL HANDLER RACE CONDITION CWE-364 

A vulnerability exists in the Ethernet communication Extension unit (GC-ENET-COM) of GOC35 series due to a signal handler race condition. If a malicious attacker sends a large number of specially crafted packets, communication errors could occur and could result in a denial-of-service condition when GC-ENET-COM is configured as a Modbus TCP Server. 

CVE-2023-1285 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing  
COUNTRIES/AREAS DEPLOYED: Worldwide 
COMPANY HEADQUARTERS LOCATION: India 

3.4 RESEARCHER

Faruk Kazi and Parul Sindhwad of COE-CNDS lab, VJTI, Mumbai India, reported these vulnerabilities to Mitsubishi Electric India. 

4. MITIGATIONS

Mitsubishi Electric India has released the following countermeasure/mitigation: 

The firmware of Extension unit GC-ENET-COM where the first 2 digits of the 11-digit serial number starting with “17” have been fixed. The firmware update in Extension unit GC-ENET-COM is only available from the vendor. Users should contact a local Mitsubishi Electric India representative. 

Mitsubishi Electric India recommends users take the following mitigations to minimize the risk of attackers exploiting this vulnerability if the mentioned countermeasures cannot be implemented. 

Use a firewall, virtual private network (VPN), etc. to prevent unauthorized access when internet access is required. 
Locate control system networks and remote devices behind firewalls and isolate them from the business network to restrict access from untrusted networks and hosts. 
Restrict physical access to your computer and network equipment on the same network. 

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability.  

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

1. EXECUTIVE SUMMARY

CVSS v3 9.8
ATTENTION: Exploitable remotely/low attack complexity 
Vendor: Siemens 
Equipment: CPCI85 Firmware of SICAM A8000 Devices 
Vulnerability: Improper Neutralization of Special Elements used in a Command (‘Command Injection’)

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an unauthenticated remote attacker to perform arbitrary code execution. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following software from Siemens is affected: 

CP-8031 MASTER MODULE (6MF2803-1AA00): All versions prior to CPCI85 V05 
CP-8050 MASTER MODULE (6MF2805-0AA00): All versions prior to CPCI85 V05 

3.2 VULNERABILITY OVERVIEW

3.2.1 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS USED IN A COMMAND (‘COMMAND INJECTION’) CWE-77 

Affected devices are vulnerable to command injection via the web server port 443/TCP if the parameter “Remote Operation” is enabled; this parameter is disabled by default. This vulnerability could allow an unauthenticated remote attacker to perform arbitrary code execution on the device. 

CVE-2023-28489 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple 
COUNTRIES/AREAS DEPLOYED: Worldwide 
COMPANY HEADQUARTERS LOCATION: Germany 

3.4 RESEARCHER

Steffen Robertz, Gerhard Hechenberger, Stefan Viehböck, Christian Hager, and Gorazd Jank from SEC Consult Vulnerability Lab on behalf of Netz Niederösterreich GmbH, EVN Gruppe reported this vulnerability to Siemens. 

4. MITIGATIONS

Siemens has released updates for the affected products and recommends updating to the latest versions: 

CP-8050 MASTER MODULE (6MF2805-0AA00): Update to CPCI85 V05 or later. 
CP-8031 MASTER MODULE (6MF2803-1AA00): Update to CPCI85 V05 or later. 

Siemens has identified the following specific workarounds and mitigations userscan apply to reduce the risk: 

Limit access to the web server on port 80/TCP and 443/TCP with an external firewall. 

Operators of critical power systems (e.g. TSOs or DSOs) worldwide are usually required by regulations to build resilience into the power grids by applying multi-level redundant secondary protection schemes. Siemens recommends that the operators check whether appropriate resilient protection measures are in place. The risk of cyber incidents impacting the grid’s reliability can thus be minimized by virtue of the grid design. Siemens recommends applying the provided security updates using the corresponding tooling and documented procedures made available with the product.  

Siemens recommends that operators:  

Apply provided security updates using the corresponding tooling and documented procedures made available with the product.  
Automatically apply security updates across multiple product instances. If supported by the product, operators may use an automated means to apply the security updates across multiple product instances may be used. 
Validate any security update before being applied. It is recommended to perform the update process under the supervision of trained staff in the target environment.   
Protect network access with appropriate mechanisms (e.g. firewalls, segmentation, VPN) as a general security measure. 

Recommended security guidelines can be found at the Siemens web page for Grid Security.

For more information, see the associated Siemens security advisory SSA-472454 in HTML and CSAF. 

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability. 

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens’ ProductCERT Security Advisories (CERT Services | Services | Siemens Global).

1. EXECUTIVE SUMMARY

CVSS v3 7.5
ATTENTION: Exploitable remotely/low attack complexity 
Vendor: Siemens 
Equipment: Industrial Products 
Vulnerabilities: Use After Free, Deadlock, Allocation of Resources Without Limits or Throttling 

2. RISK EVALUATION

Successful exploitation of these vulnerabilities could allow an attacker to cause a denial-of-service condition. 

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following software from Siemens is affected: 

SIMATIC CP 1242-7 V2 (6GK7242-7KX31-0XE0): All versions 
SIMATIC CP 1243-1 (6GK7243-1BX30-0XE0): All versions 
SIMATIC CP 1243-1 DNP3 (incl. SIPLUS variants): All versions 
SIMATIC CP 1243-1 IEC (incl. SIPLUS variants): All versions 
SIMATIC CP 1243-7 LTE EU (6GK7243-7KX30-0XE0): All versions 
SIMATIC CP 1243-7 LTE US (6GK7243-7SX30-0XE0): All versions 
SIMATIC CP 1243-8 IRC (6GK7243-8RX30-0XE0): All versions 
SIMATIC CP 1542SP-1 (6GK7542-6UX00-0XE0): All versions 
SIMATIC CP 1542SP-1 IRC (6GK7542-6VX00-0XE0): All versions 
SIMATIC CP 1543SP-1 (6GK7543-6WX00-0XE0): All versions 
SIMATIC CP 443-1 (6GK7443-1EX30-0XE0): All versions prior to V3.3 
SIMATIC CP 443-1 (6GK7443-1EX30-0XE1): All versions prior to V3.3 
SIMATIC CP 443-1 Advanced (6GK7443-1GX30-0XE0): All versions prior to V3.3 
SIMATIC IPC DiagBase: All versions 
SIMATIC IPC DiagMonitor: All versions 
SIPLUS ET 200SP CP 1542SP-1 IRC TX RAIL (6AG2542-6VX00-4XE0): All versions 
SIPLUS ET 200SP CP 1543SP-1 ISEC (6AG1543-6WX00-7XE0): All versions 
SIPLUS ET 200SP CP 1543SP-1 ISEC TX RAIL (6AG2543-6WX00-4XE0): All versions 
SIPLUS NET CP 1242-7 V2 (6AG1242-7KX31-7XE0): All versions 
SIPLUS NET CP 443-1 (6AG1443-1EX30-4XE0): All versions prior to V3.3 
SIPLUS NET CP 443-1 Advanced (6AG1443-1GX30-4XE0): All versions prior to V3.3 
SIPLUS S7-1200 CP 1243-1 (6AG1243-1BX30-2AX0): All versions 
SIPLUS S7-1200 CP 1243-1 RAIL (6AG2243-1BX30-1XE0): All versions 
SIPLUS TIM 1531 IRC (6AG1543-1MX00-7XE0): All versions prior to V2.3.6 
TIM 1531 IRC (6GK7543-1MX00-0XE0): All versions prior to V2.3.6 

3.2 VULNERABILITY OVERVIEW

3.2.1 USE AFTER FREE CWE-416 

The webserver of the affected products contains a vulnerability that may lead to a denial-of-service condition. An attacker could cause a denial-of-service condition, which would lead to a restart of the webserver of the affected product. 

CVE-2022-43716 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). 

3.2.2 DEADLOCK CWE-833 

The webserver of the affected products contains a vulnerability that could lead to a denial-of-service condition. An attacker could cause a denial-of-service condition of the webserver of the affected product. 

CVE-2022-43767 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). 

3.2.3 ALLOCATION OF RESOURCES WITHOUT LIMITS OR THROTTLING CWE-770 

The webserver of the affected products contains a vulnerability that may lead to a denial-of-service condition. An attacker could cause a denial-of-service condition of the webserver of the affected product. 

CVE-2022-43768 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). 

3.3 BACKGROUND

CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors 
COUNTRIES/AREAS DEPLOYED: Worldwide 
COMPANY HEADQUARTERS LOCATION: Germany 

3.4 RESEARCHER

Siemens reported these vulnerabilities to CISA. 

4. MITIGATIONS

Siemens has released updates for several affected products and recommends updating to the latest versions. Siemens is preparing further updates and recommends specific countermeasures for products where updates are not, or not yet, available: 

SIMATIC CP 443-1 (6GK7443-1EX30-0XE0): Update to V3.3 or later version 
SIMATIC CP 443-1 (6GK7443-1EX30-0XE1): Update to V3.3 or later version 
SIMATIC CP 443-1 Advanced (6GK7443-1GX30-0XE0): Update to V3.3 or later version 
SIPLUS TIM 1531 IRC (6AG1543-1MX00-7XE0): Update to V2.3.6 or later version 
TIM 1531 IRC (6GK7543-1MX00-0XE0): Update to V2.3.6 or later version 

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk: 

Restrict access to the web interface of the affected products—if deactivation unsupported by the product. 
Deactivate the webserver if not required and if deactivation is supported by the product. 

As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ Operational Guidelines for Industrial Security and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found on the Siemens webpage for Industrial Security. 

For further inquiries on security vulnerabilities in Siemens’ products and solutions, users should contact the Siemens ProductCERT. 

For more information, see the associated Siemens security advisory SSA-566905 in HTML and CSAF. 

CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:

Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
Locate control system networks and remote devices behind firewalls and isolate them from business networks.
When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

CISA also recommends users take the following measures to protect themselves from social engineering attacks: 

Do not click web links or open attachments in unsolicited email messages. 
Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. 
Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. 

No known public exploits specifically target these vulnerabilities.