SSA-497656

Siemens Security Advisory by Siemens ProductCERT

SSA-497656: Multiple NTP Vulnerabilities in TIM 4R-IE Devices

Publication Date:	2021-04-13
Last Update:	2025-06-10
Current Version:	V1.1
CVSS v3.1 Base Score:	9.8

SUMMARY

TIM 4R-IE devices contain multiple vulnerabilities in the integrated NTP component as listed below.

Siemens recommends specific countermeasures for products where fixes are not, or not yet available.

KNOWN AFFECTED PRODUCTS

Un-/Collapse All

Affected Product and Versions	Remediation
TIM 4R-IE (incl. SIPLUS NET variants)	Currently no fix is planned See recommendations from section Workarounds and Mitigations
SIPLUS NET TIM 4R-IE (6AG1800-4BA00-7AA0) All versions affected by all CVEs CVE-2015-5219 CVE-2015-7705 CVE-2015-7855 CVE-2015-7871 CVE-2015-7973 CVE-2015-7974 CVE-2015-7977 CVE-2015-7979 CVE-2015-8138 CVE-2016-1547 CVE-2016-1548 CVE-2016-1550 CVE-2016-4953 CVE-2016-4954	Currently no fix is planned See recommendations from section Workarounds and Mitigations
TIM 4R-IE (6NH7800-4BA00) All versions affected by all CVEs CVE-2015-5219 CVE-2015-7705 CVE-2015-7855 CVE-2015-7871 CVE-2015-7973 CVE-2015-7974 CVE-2015-7977 CVE-2015-7979 CVE-2015-8138 CVE-2016-1547 CVE-2016-1548 CVE-2016-1550 CVE-2016-4953 CVE-2016-4954	Currently no fix is planned See recommendations from section Workarounds and Mitigations
TIM 4R-IE DNP3 (incl. SIPLUS NET variants)	Currently no fix is planned See recommendations from section Workarounds and Mitigations
SIPLUS NET TIM 4R-IE DNP3 (6AG1803-4BA00-7AA0) All versions affected by all CVEs CVE-2015-5219 CVE-2015-7705 CVE-2015-7855 CVE-2015-7871 CVE-2015-7973 CVE-2015-7974 CVE-2015-7977 CVE-2015-7979 CVE-2015-8138 CVE-2016-1547 CVE-2016-1548 CVE-2016-1550 CVE-2016-4953 CVE-2016-4954	Currently no fix is planned See recommendations from section Workarounds and Mitigations
TIM 4R-IE DNP3 (6NH7803-4BA00-0AA0) All versions affected by all CVEs CVE-2015-5219 CVE-2015-7705 CVE-2015-7855 CVE-2015-7871 CVE-2015-7973 CVE-2015-7974 CVE-2015-7977 CVE-2015-7979 CVE-2015-8138 CVE-2016-1547 CVE-2016-1548 CVE-2016-1550 CVE-2016-4953 CVE-2016-4954	Currently no fix is planned See recommendations from section Workarounds and Mitigations

WORKAROUNDS AND MITIGATIONS

Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk:

Deactivate NTP-based time syncronization of the device, if enabled. The feature is disabled by default.
Configure an additional firewall to prevent communication to the port udp/123 of an affected device.

Please follow the General Security Recommendations.

GENERAL SECURITY RECOMMENDATIONS

As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity

PRODUCT DESCRIPTION

SIPLUS extreme products are designed for reliable operation under extreme conditions and are based on SIMATIC, LOGO!, SITOP, SINAMICS, SIMOTION, SCALANCE or other devices. SIPLUS devices use the same firmware as the product they are based on.

TIM 4R-IE DNP3 is a communication module for SIMATIC S7-300 with an RS232 interface for DNP3 communication via a classic WAN and an RJ45 interface for DNP3 communication via a IP-based network (WAN or LAN).

TIM 4R-IE is a SINAUT ST7 communications module for the SIMATIC S7-300 with an RS232 interface for SINAUT communication via a classic WAN and an RJ45 interface for SINAUT communication via an IP-based network (WAN or LAN).

VULNERABILITY DESCRIPTION

Un-/Collapse All

This chapter describes all vulnerabilities (CVE-IDs) addressed in this security advisory. Wherever applicable, it also documents the product-specific impact of the individual vulnerabilities.

Vulnerability CVE-2015-5219

The ULOGTOD function in ntp.d in SNTP before 4.2.7p366 does not properly perform type conversions from a precision value to a double, which allows remote attackers to cause a denial of service (infinite loop) via a crafted NTP packet.

CVSS v3.1 Base Score	7.5
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE	CWE-681: Incorrect Conversion between Numeric Types

Vulnerability CVE-2015-7705

The rate limiting feature in NTP 4.x before 4.2.8p4 and 4.3.x before 4.3.77 allows remote attackers to have unspecified impact via a large number of crafted requests.

CVSS v3.1 Base Score	9.8
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE	CWE-20: Improper Input Validation

Vulnerability CVE-2015-7855

The decodenetnum function in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to cause a denial of service (assertion failure) via a 6 or mode 7 packet containing a long data value.

CVSS v3.1 Base Score	6.5
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CWE	CWE-20: Improper Input Validation

Vulnerability CVE-2015-7871

Crypto-NAK packets in ntpd in NTP 4.2.x before 4.2.8p4, and 4.3.x before 4.3.77 allows remote attackers to bypass authentication.

CVSS v3.1 Base Score	9.8
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE	CWE-287: Improper Authentication

Vulnerability CVE-2015-7973

NTP before 4.2.8p6 and 4.3.x before 4.3.90, when configured in broadcast mode, allows man-in-the-middle attackers to conduct replay attacks by sniffing the network.

CVSS v3.1 Base Score	6.5
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H
CWE	CWE-294: Authentication Bypass by Capture-replay

Vulnerability CVE-2015-7974

NTP 4.x before 4.2.8p6 and 4.3.x before 4.3.90 do not verify peer associations of symmetric keys when authenticating packets, which might allow remote attackers to conduct impersonation attacks via an arbitrary trusted key, aka a "skeleton key."

CVSS v3.1 Base Score	7.7
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:H/A:N
CWE	CWE-287: Improper Authentication

Vulnerability CVE-2015-7977

ntpd in NTP before 4.2.8p6 and 4.3.x before 4.3.90 allows remote attackers to cause a denial of service (NULL pointer dereference) via a ntpdc reslist command.

CVSS v3.1 Base Score	5.9
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE	CWE-476: NULL Pointer Dereference

Vulnerability CVE-2015-7979

NTP before 4.2.8p6 and 4.3.x before 4.3.90 allows remote attackers to cause a denial of service (client-server association tear down) by sending broadcast packets with invalid authentication to a broadcast client.

CVSS v3.1 Base Score	7.5
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE	CWE-821: Incorrect Synchronization

Vulnerability CVE-2015-8138

NTP before 4.2.8p6 and 4.3.x before 4.3.90 allows remote attackers to bypass the origin timestamp validation via a packet with an origin timestamp set to zero.

CVSS v3.1 Base Score	5.3
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE	CWE-20: Improper Input Validation

Vulnerability CVE-2016-1547

An off-path attacker can cause a preemptible client association to be demobilized in NTP 4.2.8p4 and earlier and NTPSec a5fb34b9cc89b92a8fef2f459004865c93bb7f92 by sending a crypto NAK packet to a victim client with a spoofed source address of an existing associated peer. This is true even if authentication is enabled.

CVSS v3.1 Base Score	5.3
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE	CWE-821: Incorrect Synchronization

Vulnerability CVE-2016-1548

An attacker can spoof a packet from a legitimate ntpd server with an origin timestamp that matches the peer->dst timestamp recorded for that server. After making this switch, the client in NTP 4.2.8p4 and earlier and NTPSec aa48d001683e5b791a743ec9c575aaf7d867a2b0c will reject all future legitimate server responses. It is possible to force the victim client to move time after the mode has been changed. ntpq gives no indication that the mode has been switched.

CVSS v3.1 Base Score	7.2
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L
CWE	CWE-290: Authentication Bypass by Spoofing

Vulnerability CVE-2016-1550

An exploitable vulnerability exists in the message authentication functionality of libntp in ntp 4.2.8p4 and NTPSec a5fb34b9cc89b92a8fef2f459004865c93bb7f92. An attacker can send a series of crafted messages to attempt to recover the message digest key.

CVSS v3.1 Base Score	5.3
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CWE	CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

Vulnerability CVE-2016-4953

ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (ephemeral-association demobilization) by sending a spoofed crypto-NAK packet with incorrect authentication data at a certain time.

CVSS v3.1 Base Score	7.5
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE	CWE-287: Improper Authentication

Vulnerability CVE-2016-4954

The process_packet function in ntp_proto.c in ntpd in NTP 4.x before 4.2.8p8 allows remote attackers to cause a denial of service (peer-variable modification) by sending spoofed packets from many source IP addresses in a certain scenario, as demonstrated by triggering an incorrect leap indication.

CVSS v3.1 Base Score	7.5
CVSS v3.1 Vector	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE	CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

ADDITIONAL INFORMATION

For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories

HISTORY DATA

V1.0 (2021-04-13):	Publication Date
V1.1 (2025-06-10):	Expanded affected TIM 4R-IE product families to individual products, incl. MLFB IDs; CVE-2015-5219: changed CWE from CWE-704 to CWE-681; CVE-2015-7973: changed CWE from CWE-254 to CWE-294; CVE-2015-7979: changed CWE from CWE-19 to CWE-821; CVE-2016-1547: changed CWE from CWE-20 to CWE-821; CVE-2016-1548: changed CWE from CWE-19 to CWE-290

The use of Siemens Security Advisories is subject to the terms and conditions listed on: https://www.siemens.com/productcert/terms-of-use.