SSA-462066

Siemens Security Advisory by Siemens ProductCERT

SSA-462066: Vulnerability known as TCP SACK PANIC in Industrial Products

Publication Date:	2019-09-10
Last Update:	2022-06-14
Current Version:	V3.0
CVSS v3.1 Base Score:	7.5

SUMMARY

Multiple industrial products are affected by a vulnerability in the kernel known as TCP SACK PANIC. The vulnerability could allow a remote attacker to cause a denial of service condition.

Siemens has released updates for several affected products and recommends to update to the new versions. Siemens is preparing further updates and recommends specific countermeasures for products where updates are not, or not yet available.

AFFECTED PRODUCTS AND SOLUTION

Affected Product and Versions	Remediation
CloudConnect 712: All versions < V1.1.5	Update to V1.1.5 or later version https://support.industry.siemens.com/cs/ww/en/view/109769636 See further recommendations from section Workarounds and Mitigations
RUGGEDCOM APE1404 Linux: All versions < Debian 9 Linux Image 2019-12-13 only affected by CVE-2019-11479	Apply the latest available Debian patches https://support.industry.siemens.com/cs/ww/en/view/109773487 See further recommendations from section Workarounds and Mitigations
RUGGEDCOM RM1224 (6GK6108-4AM00): All versions < V6.2	Update to V6.2 or later version https://support.industry.siemens.com/cs/document/109778305 See further recommendations from section Workarounds and Mitigations
RUGGEDCOM ROX II: All versions < V2.13.3 only affected by CVE-2019-11479	Update to V2.13.3 or later version https://support.industry.siemens.com/cs/document/109778537 See further recommendations from section Workarounds and Mitigations
RUGGEDCOM RX1400 VPE Debian Linux: All versions < Debian 9 Linux Image 2019-12-13 only affected by CVE-2019-11479	Apply the latest available Debian patches in the VPE https://support.industry.siemens.com/cs/ww/en/view/109773485 See further recommendations from section Workarounds and Mitigations
RUGGEDCOM RX1400 VPE Linux CloudConnect: All versions < Debian 9 Linux Image 2019-12-13 only affected by CVE-2019-11479	Apply the latest available Debian patches in the VPE or apply the latest CloudConnect VPE Linux image https://support.industry.siemens.com/cs/ww/en/view/109773486 See further recommendations from section Workarounds and Mitigations
SCALANCE M804PB (6GK5804-0AP00-2AA2): All versions < V6.2	Update to V6.2 or later version https://support.industry.siemens.com/cs/document/109778305 See further recommendations from section Workarounds and Mitigations
SCALANCE M812-1 ADSL-Router (Annex A) (6GK5812-1AA00-2AA2): All versions < V6.2	Update to V6.2 or later version https://support.industry.siemens.com/cs/document/109778305 See further recommendations from section Workarounds and Mitigations
SCALANCE M812-1 ADSL-Router (Annex B) (6GK5812-1BA00-2AA2): All versions < V6.2	Update to V6.2 or later version https://support.industry.siemens.com/cs/document/109778305 See further recommendations from section Workarounds and Mitigations
SCALANCE M816-1 ADSL-Router (Annex A) (6GK5816-1AA00-2AA2): All versions < V6.2	Update to V6.2 or later version https://support.industry.siemens.com/cs/document/109778305 See further recommendations from section Workarounds and Mitigations
SCALANCE M816-1 ADSL-Router (Annex B) (6GK5816-1BA00-2AA2): All versions < V6.2	Update to V6.2 or later version https://support.industry.siemens.com/cs/document/109778305 See further recommendations from section Workarounds and Mitigations
SCALANCE M826-2 SHDSL-Router (6GK5826-2AB00-2AB2): All versions < V6.2	Update to V6.2 or later version https://support.industry.siemens.com/cs/document/109778305 See further recommendations from section Workarounds and Mitigations
SCALANCE M874-2 (6GK5874-2AA00-2AA2): All versions < V6.2	Update to V6.2 or later version https://support.industry.siemens.com/cs/document/109778305 See further recommendations from section Workarounds and Mitigations
SCALANCE M874-3 (6GK5874-3AA00-2AA2): All versions < V6.2	Update to V6.2 or later version https://support.industry.siemens.com/cs/document/109778305 See further recommendations from section Workarounds and Mitigations
SCALANCE M875: All versions	Upgrade hardware to SCALANCE M876-4 or RUGGEDCOM RM1224 and apply patches when available, or follow recommendations from section Workarounds and Mitigations See further recommendations from section Workarounds and Mitigations
SCALANCE M876-3 (EVDO) (6GK5876-3AA02-2BA2): All versions < V6.2	Update to V6.2 or later version https://support.industry.siemens.com/cs/document/109778305 See further recommendations from section Workarounds and Mitigations
SCALANCE M876-3 (ROK) (6GK5876-3AA02-2EA2): All versions < V6.2	Update to V6.2 or later version https://support.industry.siemens.com/cs/document/109778305 See further recommendations from section Workarounds and Mitigations
SCALANCE M876-4 (EU) (6GK5876-4AA00-2BA2): All versions < V6.2	Update to V6.2 or later version https://support.industry.siemens.com/cs/document/109778305 See further recommendations from section Workarounds and Mitigations
SCALANCE M876-4 (NAM) (6GK5876-4AA00-2DA2): All versions < V6.2	Update to V6.2 or later version https://support.industry.siemens.com/cs/document/109778305 See further recommendations from section Workarounds and Mitigations
SCALANCE S602: All versions < V4.1 only affected by CVE-2019-8460	Update to V4.1 Update is only available via Siemens Support contact Upgrade hardware to successor product from SCALANCE SC-600 family (https://support.industry.siemens.com/cs/document/109756957) and apply patches when available, or follow recommendations from section Workarounds and Mitigations See further recommendations from section Workarounds and Mitigations
SCALANCE S612: All versions < V4.1 only affected by CVE-2019-8460	Update to V4.1 Update is only available via Siemens Support contact Upgrade hardware to successor product from SCALANCE SC-600 family (https://support.industry.siemens.com/cs/document/109756957) and apply patches when available, or follow recommendations from section Workarounds and Mitigations See further recommendations from section Workarounds and Mitigations
SCALANCE S615 (6GK5615-0AA00-2AA2): All versions < V6.2	Update to V6.2 or later version https://support.industry.siemens.com/cs/document/109778305/ See further recommendations from section Workarounds and Mitigations
SCALANCE S623: All versions < V4.1 only affected by CVE-2019-8460	Update to V4.1 Update is only available via Siemens Support contact Upgrade hardware to successor product from SCALANCE SC-600 family (https://support.industry.siemens.com/cs/document/109756957) and apply patches when available, or follow recommendations from section Workarounds and Mitigations See further recommendations from section Workarounds and Mitigations
SCALANCE S627-2M: All versions < V4.1 only affected by CVE-2019-8460	Update to V4.1 Update is only available via Siemens Support Contact Upgrade hardware to successor product from SCALANCE SC-600 family (https://support.industry.siemens.com/cs/document/109756957) and apply patches when available, or follow recommendations from section Workarounds and Mitigations See further recommendations from section Workarounds and Mitigations
SCALANCE SC622-2C (6GK5622-2GS00-2AC2): All version < V2.0.1	Update to V2.0.1 or later version https://support.industry.siemens.com/cs/ww/en/view/109769665 See further recommendations from section Workarounds and Mitigations
SCALANCE SC632-2C (6GK5632-2GS00-2AC2): All version < V2.0.1	Update to V2.0.1 or later version https://support.industry.siemens.com/cs/ww/en/view/109769665 See further recommendations from section Workarounds and Mitigations
SCALANCE SC636-2C (6GK5636-2GS00-2AC2): All version < V2.0.1	Update to V2.0.1 or later version https://support.industry.siemens.com/cs/ww/en/view/109769665 See further recommendations from section Workarounds and Mitigations
SCALANCE SC642-2C (6GK5642-2GS00-2AC2): All version < V2.0.1	Update to V2.0.1 or later version https://support.industry.siemens.com/cs/ww/en/view/109769665 See further recommendations from section Workarounds and Mitigations
SCALANCE SC646-2C (6GK5646-2GS00-2AC2): All version < V2.0.1	Update to V2.0.1 or later version https://support.industry.siemens.com/cs/ww/en/view/109769665 See further recommendations from section Workarounds and Mitigations
SCALANCE W1750D: All versions < V8.6.0	Update to V8.6.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109778052 See further recommendations from section Workarounds and Mitigations
SCALANCE W-700 IEEE 802.11n family: All versions < V6.4	Update to V6.4 or later version https://support.industry.siemens.com/cs/ww/en/view/109773308 See further recommendations from section Workarounds and Mitigations
SCALANCE W-1700 IEEE 802.11ac family: All versions < V2.0	Update to V2.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109773734 See further recommendations from section Workarounds and Mitigations
SCALANCE WLC711: All versions	Currently no fix is planned See recommendations from section Workarounds and Mitigations
SCALANCE WLC712: All versions	Currently no fix is planned See recommendations from section Workarounds and Mitigations
SIMATIC CM 1542-1: All versions < 3.0	Update to V3.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109801629/ See further recommendations from section Workarounds and Mitigations
SIMATIC CP 343-1 Advanced (incl. SIPLUS variants): All versions only affected by CVE-2019-8460	Currently no fix is planned See recommendations from section Workarounds and Mitigations
SIMATIC CP 442-1 RNA (6GK7442-1RX00-0XE0): All versions < V1.5.18 only affected by CVE-2019-8460	Update to V1.5.18 or later version https://support.industry.siemens.com/cs/ww/en/view/109808794 See further recommendations from section Workarounds and Mitigations
SIMATIC CP 443-1 (incl. SIPLUS variants): All versions only affected by CVE-2019-8460	Currently no fix is available See recommendations from section Workarounds and Mitigations
SIMATIC CP 443-1 Advanced (incl. SIPLUS variants): All versions only affected by CVE-2019-8460	Currently no fix is planned See recommendations from section Workarounds and Mitigations
SIMATIC CP 443-1 OPC UA (6GK7443-1UX00-0XE0): All versions only affected by CVE-2019-8460	Currently no fix is planned See recommendations from section Workarounds and Mitigations
SIMATIC CP 443-1 RNA (6GK7443-1RX00-0XE0): All versions < V1.5.18 only affected by CVE-2019-8460	Update to V1.5.18 or later version https://support.industry.siemens.com/cs/ww/en/view/109808796 See further recommendations from section Workarounds and Mitigations
SIMATIC CP 1242-7 V2 (incl. SIPLUS variants): All versions < V3.2	Update to V3.2 or later version https://support.industry.siemens.com/cs/document/109775640 See further recommendations from section Workarounds and Mitigations
SIMATIC CP 1243-1 (6GK7243-1BX30-0XE0): All versions < V3.2	Update to V3.2 or later version https://support.industry.siemens.com/cs/document/109775640 See further recommendations from section Workarounds and Mitigations
SIMATIC CP 1243-7 LTE EU (6GK7243-7KX30-0XE0): All versions < V3.2	Update to V3.2 or later version https://support.industry.siemens.com/cs/document/109775640 See further recommendations from section Workarounds and Mitigations
SIMATIC CP 1243-7 LTE US (6GK7243-7SX30-0XE0): All versions < V3.2	Update to V3.2 or later version https://support.industry.siemens.com/cs/document/109775640 See further recommendations from section Workarounds and Mitigations
SIMATIC CP 1243-8 IRC (6GK7243-8RX30-0XE0): All versions < V3.2	Update to V3.2 or later version https://support.industry.siemens.com/cs/document/109775640 See further recommendations from section Workarounds and Mitigations
SIMATIC CP 1542SP-1 (6GK7542-6UX00-0XE0): All versions < V2.1	Update to V2.1 or later version https://support.industry.siemens.com/cs/document/109774207/ See further recommendations from section Workarounds and Mitigations
SIMATIC CP 1542SP-1 IRC (incl. SIPLUS variants): All versions < V2.1	Update to V2.1 or later version https://support.industry.siemens.com/cs/document/109774207/ See further recommendations from section Workarounds and Mitigations
SIMATIC CP 1543-1 (6GK7543-1AX00-0XE0): All versions < V2.2	Update to V2.2 or later version https://support.industry.siemens.com/cs/ww/en/view/109775642 See further recommendations from section Workarounds and Mitigations
SIMATIC CP 1543SP-1 (6GK7543-6WX00-0XE0): All versions < V2.1	Update to V2.1 or later version https://support.industry.siemens.com/cs/document/109774207/ See further recommendations from section Workarounds and Mitigations
SIMATIC CP 1623 (6GK1162-3AA00): All versions < V14.00.15.00_51.25.00.01 only affected by CVE-2019-8460	The updated firmware is contained in SIMATIC NET PC Software V14 Update 14 or later version or SIMATIC NET PC Software V16 Update 5 or later version https://support.industry.siemens.com/cs/ww/en/view/109804739 See further recommendations from section Workarounds and Mitigations
SIMATIC CP 1628 (6GK1162-8AA00): All versions < V17.0 only affected by CVE-2019-8460	Update to V17.0 https://support.industry.siemens.com/cs/ww/en/view/109798403 See further recommendations from section Workarounds and Mitigations
SIMATIC ITC1500: All versions < V3.1.1.0	Update to V3.1.1.0 https://support.industry.siemens.com/cs/ww/en/view/109783768 See further recommendations from section Workarounds and Mitigations
SIMATIC ITC1500 PRO: All versions < V3.1.1.0	Update to V3.1.1.0 https://support.industry.siemens.com/cs/ww/en/view/109783768 See further recommendations from section Workarounds and Mitigations
SIMATIC ITC1900: All versions < V3.1.1.0	Update to V3.1.1.0 https://support.industry.siemens.com/cs/ww/en/view/109783768 See further recommendations from section Workarounds and Mitigations
SIMATIC ITC1900 PRO: All versions < V3.1.1.0	Update to V3.1.1.0 https://support.industry.siemens.com/cs/ww/en/view/109783768 See further recommendations from section Workarounds and Mitigations
SIMATIC ITC2200: All versions < V3.1.1.0	Update to V3.1.1.0 https://support.industry.siemens.com/cs/ww/en/view/109783768 See further recommendations from section Workarounds and Mitigations
SIMATIC ITC2200 PRO: All versions < V3.1.1.0	Update to V3.1.1.0 https://support.industry.siemens.com/cs/ww/en/view/109783768 See further recommendations from section Workarounds and Mitigations
SIMATIC MV540 H (6GF3540-0GE10): All versions < V2.1	Update to V2.1 or later version https://support.industry.siemens.com/cs/ww/en/view/109781769 See further recommendations from section Workarounds and Mitigations
SIMATIC MV540 S (6GF3540-0CD10): All versions < V2.1	Update to V2.1 or later version https://support.industry.siemens.com/cs/ww/en/view/109781769 See further recommendations from section Workarounds and Mitigations
SIMATIC MV550 H (6GF3550-0GE10): All versions < V2.1	Update to V2.1 or later version https://support.industry.siemens.com/cs/ww/en/view/109781769 See further recommendations from section Workarounds and Mitigations
SIMATIC MV550 S (6GF3550-0CD10): All versions < V2.1	Update to V2.1 or later version https://support.industry.siemens.com/cs/ww/en/view/109781769 See further recommendations from section Workarounds and Mitigations
SIMATIC MV560 U (6GF3560-0LE10): All versions < V2.1	Update to V2.1 or later version https://support.industry.siemens.com/cs/ww/en/view/109781769 See further recommendations from section Workarounds and Mitigations
SIMATIC MV560 X (6GF3560-0HE10): All versions < V2.1	Update to V2.1 or later version https://support.industry.siemens.com/cs/ww/en/view/109781769 See further recommendations from section Workarounds and Mitigations
SIMATIC Reader RF610R CMIIT (6GT2811-6BC10-2AA0): All versions < V4.0	Update to V4.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109808361 See further recommendations from section Workarounds and Mitigations
SIMATIC Reader RF610R ETSI (6GT2811-6BC10-0AA0): All versions < V4.0	Update to V4.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109808361 See further recommendations from section Workarounds and Mitigations
SIMATIC Reader RF610R FCC (6GT2811-6BC10-1AA0): All versions < V4.0	Update to V4.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109808361 See further recommendations from section Workarounds and Mitigations
SIMATIC Reader RF615R CMIIT (6GT2811-6CC10-2AA0): All versions < V4.0	Update to V4.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109808361 See further recommendations from section Workarounds and Mitigations
SIMATIC Reader RF615R ETSI (6GT2811-6CC10-0AA0): All versions < V4.0	Update to V4.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109808361 See further recommendations from section Workarounds and Mitigations
SIMATIC Reader RF615R FCC (6GT2811-6CC10-1AA0): All versions < V4.0	Update to V4.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109808361 See further recommendations from section Workarounds and Mitigations
SIMATIC Reader RF650R ARIB (6GT2811-6AB20-4AA0): All versions < V4.0	Update to V4.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109808361 See further recommendations from section Workarounds and Mitigations
SIMATIC Reader RF650R CMIIT (6GT2811-6AB20-2AA0): All versions < V4.0	Update to V4.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109808361 See further recommendations from section Workarounds and Mitigations
SIMATIC Reader RF650R ETSI (6GT2811-6AB20-0AA0): All versions < V4.0	Update to V4.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109808361 See further recommendations from section Workarounds and Mitigations
SIMATIC Reader RF650R FCC (6GT2811-6AB20-1AA0): All versions < V4.0	Update to V4.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109808361 See further recommendations from section Workarounds and Mitigations
SIMATIC Reader RF680R ARIB (6GT2811-6AA10-4AA0): All versions < V4.0	Update to V4.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109808361 See further recommendations from section Workarounds and Mitigations
SIMATIC Reader RF680R CMIIT (6GT2811-6AA10-2AA0): All versions < V4.0	Update to V4.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109808361 See further recommendations from section Workarounds and Mitigations
SIMATIC Reader RF680R ETSI (6GT2811-6AA10-0AA0): All versions < V4.0	Update to V4.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109808361 See further recommendations from section Workarounds and Mitigations
SIMATIC Reader RF680R FCC (6GT2811-6AA10-1AA0): All versions < V4.0	Update to V4.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109808361 See further recommendations from section Workarounds and Mitigations
SIMATIC Reader RF685R ARIB (6GT2811-6CA10-4AA0): All versions < V4.0	Update to V4.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109808361 See further recommendations from section Workarounds and Mitigations
SIMATIC Reader RF685R CMIIT (6GT2811-6CA10-2AA0): All versions < V4.0	Update to V4.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109808361 See further recommendations from section Workarounds and Mitigations
SIMATIC Reader RF685R ETSI (6GT2811-6CA10-0AA0): All versions < V4.0	Update to V4.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109808361 See further recommendations from section Workarounds and Mitigations
SIMATIC Reader RF685R FCC (6GT2811-6CA10-1AA0): All versions < V4.0	Update to V4.0 or later version https://support.industry.siemens.com/cs/ww/en/view/109808361 See further recommendations from section Workarounds and Mitigations
SIMATIC RF185C (6GT2002-0JE10): All versions < V1.3	Update to V1.3 or later version https://support.industry.siemens.com/cs/ww/en/view/109781665 See further recommendations from section Workarounds and Mitigations
SIMATIC RF186C (6GT2002-0JE20): All versions < V1.3	Update to V1.3 or later version https://support.industry.siemens.com/cs/ww/en/view/109781665 See further recommendations from section Workarounds and Mitigations
SIMATIC RF186CI (6GT2002-0JE50): All versions < V1.3	Update to V1.3 or later version https://support.industry.siemens.com/cs/ww/en/view/109781665 See further recommendations from section Workarounds and Mitigations
SIMATIC RF188C (6GT2002-0JE40): All versions < V1.3	Update to V1.3 or later version https://support.industry.siemens.com/cs/ww/en/view/109781665 See further recommendations from section Workarounds and Mitigations
SIMATIC RF188CI (6GT2002-0JE60): All versions < V1.3	Update to V1.3 or later version https://support.industry.siemens.com/cs/ww/en/view/109781665 See further recommendations from section Workarounds and Mitigations
SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (MLFB: 6ES7518-4AX00-1AC0, 6AG1518-4AX00-4AC0, incl. SIPLUS variant): All versions < V2.8.4	Update to V2.8.4 https://support.industry.siemens.com/cs/ww/en/view/109761490 See further recommendations from section Workarounds and Mitigations
SIMATIC S7-1500 CPU 1518F-4 PN/DP MFP (6ES7518-4FX00-1AC0): All versions < V2.8.4	Update to V2.8.4 https://support.industry.siemens.com/cs/ww/en/view/109761495 See further recommendations from section Workarounds and Mitigations
SIMATIC Teleservice Adapter IE Advanced: All versions	Currently no fix is planned See recommendations from section Workarounds and Mitigations
SIMATIC Teleservice Adapter IE Basic: All versions	Currently no fix is planned See recommendations from section Workarounds and Mitigations
SINEMA Remote Connect Server: All versions < V2.1	Update to V2.1 or later version https://support.industry.siemens.com/cs/ww/en/view/109777247 See further recommendations from section Workarounds and Mitigations
SINUMERIK 808D: All versions < V4.92	Update to V4.92 or later version The update can be obtained from your Siemens representative or via Siemens customer service. See further recommendations from section Workarounds and Mitigations
SINUMERIK 828D: All versions < V4.8 SP5	Update to V4.8 SP5 or later version The update can be obtained from your Siemens representative or via Siemens customer service. See further recommendations from section Workarounds and Mitigations
SINUMERIK 840D sl: All versions < V4.8 SP5	Update to V4.8 SP5 or later version The update can be obtained from your Siemens representative or via Siemens customer service. See further recommendations from section Workarounds and Mitigations
SIPLUS ET 200SP CP 1543SP-1 ISEC (6AG1543-6WX00-7XE0): All versions < V2.1	Update to V2.1 or later version https://support.industry.siemens.com/cs/document/109774207/ See further recommendations from section Workarounds and Mitigations
SIPLUS ET 200SP CP 1543SP-1 ISEC TX RAIL (6AG2543-6WX00-4XE0): All versions < V2.1	Update to V2.1 or later version https://support.industry.siemens.com/cs/document/109774207/ See further recommendations from section Workarounds and Mitigations
SIPLUS NET CP 1543-1 (6AG1543-1AX00-2XE0): All versions < V2.2	Update to V2.2 or later version https://support.industry.siemens.com/cs/ww/en/view/109775642 See further recommendations from section Workarounds and Mitigations
SIPLUS S7-1200 CP 1243-1 (6AG1243-1BX30-2AX0): All versions < V3.2	Update to V3.2 or later version https://support.industry.siemens.com/cs/document/109775640 See further recommendations from section Workarounds and Mitigations
SIPLUS S7-1200 CP 1243-1 RAIL (6AG2243-1BX30-1XE0): All versions < V3.2	Update to V3.2 or later version https://support.industry.siemens.com/cs/document/109775640 See further recommendations from section Workarounds and Mitigations
SIPLUS TIM 1531 IRC (6AG1543-1MX00-7XE0): All versions < V2.1	Update to V2.1 or later version https://support.industry.siemens.com/cs/ww/en/view/109774204 See further recommendations from section Workarounds and Mitigations
TIM 3V-IE (incl. SIPLUS NET variants): All versions only affected by CVE-2019-8460	Currently no fix is planned See recommendations from section Workarounds and Mitigations
TIM 3V-IE Advanced (incl. SIPLUS NET variants): All versions only affected by CVE-2019-8460	Currently no fix is planned See recommendations from section Workarounds and Mitigations
TIM 3V-IE DNP3 (incl. SIPLUS NET variants): All versions only affected by CVE-2019-8460	Currently no fix is planned See recommendations from section Workarounds and Mitigations
TIM 4R-IE (incl. SIPLUS NET variants): All versions only affected by CVE-2019-8460	Currently no fix is planned See recommendations from section Workarounds and Mitigations
TIM 4R-IE DNP3 (incl. SIPLUS NET variants): All versions only affected by CVE-2019-8460	Currently no fix is planned See recommendations from section Workarounds and Mitigations
TIM 1531 IRC (6GK7543-1MX00-0XE0): All versions < V2.1	Update to V2.1 or later version https://support.industry.siemens.com/cs/ww/en/view/109774204 See further recommendations from section Workarounds and Mitigations

WORKAROUNDS AND MITIGATIONS

Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk:

Restrict network access to affected devices
Apply Defense-in-Depth
For SIMATIC Teleservice Adapters (IE Basic, IE Advanced): migrate to a successor product within the SCALANCE M-800 family. For details refer to the notice of discontinuation.

Product specific remediations or mitigations can be found in the section Affected Products and Solution.

Please follow the General Security Recommendations.

GENERAL SECURITY RECOMMENDATIONS

As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens’ operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals.

Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity

PRODUCT DESCRIPTION

As the virtual machine environment for the RUGGEDCOM RX1400, the RUGGEDCOM VPE1400 is ideally suited for harsh environments, such as those found in electric power, transportation, defense systems and oil and gas industries.

ROX-based VPN endpoints and firewall devices are used to connect devices that operate in harsh environments such as electric utility substations and traffic control cabinets.

RUGGEDCOM APE serves as an utility-grade computing platform for the RUGGEDCOM RX1500 router family. It also allows to run third party software applications without needing to procure an external industrial PC.

SCALANCE W products are wireless communication devices used to connect industrial components, like Programmable Logic Controllers (PLCs) or Human Machine Interfaces (HMIs), according to the IEEE 802.11 standard (802.11ac, 802.11a/b/g/h, and/or 802.11n).

Siemens CloudConnect is used to connect all kinds of plants with the cloud.

SIMATIC CP 343-1 and CP 443-1 are communication processors (CP) designed to enable Ethernet communication for SIMATIC S7-300/S7-400 CPUs.

SIMATIC HMI Panels are used for operator control and monitoring of machines and plants.

SIMATIC ITC Industrial Thin Clients represent powerful control terminals with high-resolution wide-screen touch displays in 12, 15, 19 and 22 inch formats.

SIMATIC MV500 products are stationary optical readers, used to reliably capture printed, lasered, drilled, punched and dotpeen codes on a variety of different surfaces.

SIMATIC RF185C, RF186C/CI, and RF188C/CI are communication modules for direct connection of SIMATIC identification systems to PROFINET IO/Ethernet and OPC UA.

SIMATIC RF600 Readers are used for the contactless identification of every kind of object, e.g. transport containers, pallets, production goods, or it can be generally used for recording goods in bulk.

SIMATIC Teleservice adapters allow for remote maintenance of automation systems via phone or internet. The adapters are superseded by the SCALANCE M product family.

SINEMA Remote Connect is a management platform for remote networks that enables the simple management of tunnel connections (VPN) between headquarters, service technicians, and installed machines or plants. It provides both the Remote Connect Server, which is the server application, and the Remote Connect Client, which is an OpenVPN client for optimal connection to SINEMA Remote Connect Server.

SINUMERIK CNC offers automation solutions for the shop floor, job shops and large serial production environments.

SIPLUS extreme products are designed for reliable operation under extreme conditions and are based on SIMATIC, LOGO!, SITOP, SINAMICS, SIMOTION, SCALANCE or other devices. SIPLUS devices use the same firmware as the product they are based on.

The SCALANCE M-800, MUM-800 and S615 as well as the RUGGEDCOM RM1224 industrial routers are used for secure remote access to plants via mobile networks, e.g. GPRS or UMTS with the integrated security functions of a firewall for protection against unauthorized access and VPN to protect data transmission.

The SCALANCE S-600 devices (S602, S612, S623, S627-2M) are used to protect trusted industrial networks from untrusted networks. The S-600 devices are superseded by the SCALANCE SC-600 devices (SC622-2C, SC632-2C, SC636-2C, SC642-2C, SC646-2C), or the SCALANCE S615.

The SCALANCE SC-600 devices (SC622-2C, SC632-2C, SC636-2C, SC642-2C, SC646-2C) are used to protect trusted industrial networks from untrusted networks. They allow filtering incoming and outgoing network connections in different ways.

The SCALANCE W1750D controller-based Direct Access Points support radio transmission according to the latest IWLAN standard IEEE 802.11ac Wave 2.

The SIMATIC CP 1242-7 and CP 1243-7 LTE communication processors connect the S7-1200 controller to Wide Area Networks (WAN). It provides integrated security functions such as firewall, Virtual Private Networks (VPN) and support of other protocols with data encryption.

The SIMATIC CP 1243-1 communication processor connects the S7-1200 controller to Ethernet networks. It provides integrated security functions such as firewall, Virtual Private Networks (VPN) and support of other protocols with data encryption.

The SIMATIC CP 1243-8 IRC communication processor connects S7-1200 controllers via the SINAUT ST7 telecontrol protocol to a control center or master ST7 stations.

The SIMATIC CP 1543-1 and SIMATIC CP 1545-1 communication processor connects the S7-1500 controller to Ethernet networks. It provides integrated security functions such as firewall, Virtual Private Networks (VPN) and support of other protocols with data encryption. The communication processor protects S7-1500 stations against unauthorized access, as well as integrity and confidentiality of transmitted data.

The SIMATIC CP 1543SP-1, CP 1542SP-1 and CP 1542SP-1 IRC communication processors connect the S7-1500 controller to Ethernet networks. It provides integrated security functions such as firewall, Virtual Private Networks (VPN) and support of other protocols with data encryption.

The SIMATIC S7-1500 MFP CPUs provide functionality of standard S7-1500 CPUs with the possibility to run C/C++ Code within the CPU-Runtime for execution of own functions / algorithms implemented in C/C++ and an additional second independent runtime environment to execute C/C++ applications parallel to the STEP 7 program if required.

The TIM 3V-IE is a SINAUT ST7 communications module for the SIMATIC S7-300 with an RS232 interface for SINAUT communication via a classic WAN and an RJ45 interface for SINAUT communication via an IP-based network (WAN or LAN).

The TIM 4R-IE DNP3 communication module for SIMATIC S7-300 with an RS232 interface for DNP3 communication via a classic WAN and an RJ45 interface for DNP3 communication via a IP-based network (WAN or LAN).

The TIM 4R-IE is a SINAUT ST7 communications module for the SIMATIC S7-300 with an RS232 interface for SINAUT communication via a classic WAN and an RJ45 interface for SINAUT communication via an IP-based network (WAN or LAN).

TIM 3V-IE advanced communication module for SIMATIC S7-300 with an RS232 interface for SINAUT communication via a classic WAN and an RJ45 interface for SINAUT communication via an IP-based network (WAN or LAN).

TIM 1531 IRC is a communication module for SIMATIC S7-1500, S7-400, S7-300 with SINAUT ST7, DNP3 and IEC 60870-5-101/104 with three RJ45 interfaces for communication via IP-based networks (WAN / LAN) and a RS 232/RS 485 interface for communication via classic WAN networks.

VULNERABILITY CLASSIFICATION

The vulnerability classification has been performed by using the CVSS scoring system in version 3.1 (CVSS v3.1) (https://www.first.org/cvss). The CVSS environmental score is specific to the customer’s environment and will impact the overall CVSS score. The environmental score should therefore be individually defined by the customer to accomplish final scoring.

An additional classification has been performed using the CWE classification, a community-developed list of common software security weaknesses. This serves as a common language and as a baseline for weakness identification, mitigation, and prevention efforts. A detailed list of CWE classes can be found at: https://cwe.mitre.org/.

Vulnerability CVE-2019-8460

OpenBSD kernel version <= 6.5 can be forced to create long chains of TCP SACK holes that causes very expensive calls to tcp_sack_option() for every incoming SACK packet which can lead to a denial of service.

CVSS v3.1 Base Score	7.5
CVSS Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
CWE:	CWE-1049: Excessive Data Query Operations in a Large Data Table

Vulnerability CVE-2019-11477

The kernel used in some products is affected by an integer overflow when handling TCP Selective Acknowledgements. A remote attacker could use this to cause a denial of service.

CVSS v3.1 Base Score	7.5
CVSS Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
CWE:	CWE-190: Integer Overflow or Wraparound

Vulnerability CVE-2019-11478

A remote attacker could cause a denial of service condition by sending specially crafted TCP Selective Acknowledgment (SACK) sequences to affected products.

CVSS v3.1 Base Score	5.3
CVSS Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C
CWE:	CWE-400: Uncontrolled Resource Consumption

Vulnerability CVE-2019-11479

An attacker with network access to affected products could cause a denial of service condition because of a vulnerability in the TCP retransmission queue implementation kernel when handling TCP Selective Acknowledgements (SACK).

CVSS v3.1 Base Score	5.3
CVSS Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C
CWE:	CWE-400: Uncontrolled Resource Consumption

ACKNOWLEDGMENTS

Siemens thanks the following parties for their efforts:

Artem Zinenko from Kaspersky for pointing out that SIPLUS should also be mentioned

ADDITIONAL INFORMATION

For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT:

https://www.siemens.com/cert/advisories

HISTORY DATA

V1.0 (2019-09-10): Publication Date

V1.1 (2019-10-08): Added solution for SINUMERIK 840D sl, SINUMERIK 828D, SINUMERIK 808D

V1.2 (2019-11-12): Added solution for SIMATIC MV500. Removed SIMATIC RF166C from affected products

V1.3 (2019-12-10): Added solution for SCALANCE W700. SIPLUS devices now explicitly mentioned in the list of affected products

V1.4 (2020-02-11): Added solution for TIM 1531 IRC, for SIMATIC NET CP 1242-7, CP 1243-7 LTE (EU and US versions), CP 1243-1, CP 1243-8 IRC, CP 1543-1, CP 1542SP-1, CP 1542SP-1 IRC, CP 1543SP-1 and for SCALANCE W1700. Added products RUGGEDCOM APE1404 and RUGGEDCOM RX1400. Information regarding SINEMA Remote Connect Server corrected

V1.5 (2020-03-10): Added solution for SINEMA Remote Connect Server, SCALANCE M-800 / S615 and RUGGEDCOM RM1224. Added products SIMATIC NET CP 1623 and CP 1628. Information regarding SIMATIC MV500 corrected

V1.6 (2020-04-14): Added solution for ROX II

V1.7 (2020-06-09): Added products SIMATIC NET CP 443-1 OPC UA, CP 443-1 RNA, CP 442-1 RNA, CP 443-1, CP 443-1 Advanced and CP 343-1 Advanced. Included additional information to CP 1623 and CP 1628 regarding affected CVE. Added CVE-2019-8460 - affected products are identified accordingly.

V1.8 (2020-08-11): Informed about successor product for SIMATIC Teleservice adapters

V1.9 (2020-09-08): Added solution for SIMATIC RF18xC/CI

V2.0 (2020-10-13): Added solution for SIMATIC MV500 and SCALANCE W1750D

V2.1 (2020-12-08): Added solution for SIMATIC S7-1500 CPU 1518(F)-4 PN/DP MFP

V2.2 (2021-04-13): Added affected products SCALANCE S602, SCALANCE S612, SCALANCE S623, and SCALANCE S627-2M and added solution for SIMATIC ITC1500 (PRO), SIMATIC ITC1900 (PRO), and SIMATIC ITC2200 (PRO)

V2.3 (2021-05-11): Added affected products TIM 3V-IE, TIM 3V-IE Advanced, TIM 3V-IE DNP3, TIM 4R-IE and TIM 4R-IE DNP3

V2.4 (2021-07-13): Added solution for SIMATIC NET CP 1623 and SIMATIC NET CP 1628

V2.5 (2021-09-14): Added solution for SIMATIC NET CM 1542-1

V2.6 (2022-02-08): Updated solution for SIMATIC CP 1623; Clarified that currently no remediation is planned for SIMATIC CP 442-1 RNA, SIMATIC CP 443-1 RNA, TIM 3V-IE and TIM 4R-IE devices

V2.7 (2022-03-08): Readded SCALANCE S615 to the list of affected products

V2.8 (2022-04-12): Updated remediation for SIMATIC CP 1623; Added solution for SIMATIC RF600R family and clarified list of affected devices

V2.9 (2022-05-10): Added solution for SIMATIC CP 442-1 RNA and SIMATIC CP 443-1 RNA

V3.0 (2022-06-14): No fix planned for SIMATIC NET CP 443-1

Siemens Security Advisories are subject to the terms and conditions contained in Siemens’ underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter "License Terms"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens’ Global Website https://new.siemens.com/terms_of_use, hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use.

SSA-462066