-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 # SSA-978220: Denial of Service Vulnerability over SNMP in Multiple Industrial Products Publication Date: 2020-02-11 Last Update: 2023-04-11 Current Version: 1.8 CVSS v3.1 Base Score: 7.5 SUMMARY ======= Several industrial products are affected by a vulnerability that could allow remote attackers to conduct a denial of service attack by sending specially crafted packets to port 161/udp (SNMP). Siemens has released updates for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for products where updates are not, or not yet available. AFFECTED PRODUCTS AND SOLUTION ============================== * IE/PB link PN IO (6GK1411-5AB10) - Affected versions: All versions < V4.0.1 - Remediation: Update to V4.0.1 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109780330/ * SCALANCE S602 - Affected versions: All versions < V4.1 - Remediation: Update to V4.1 Migrate to a successor product within the SCALANCE SC-600 family, V2.1 ( https://support.industry.siemens.com/cs/ww/en/view/109780500) or later version See further recommendations from section "Workarounds and Mitigations" - Download: Update is only available via Siemens Support contact * SCALANCE S612 - Affected versions: All versions < V4.1 - Remediation: Update to V4.1 Migrate to a successor product within the SCALANCE SC-600 family, V2.1 ( https://support.industry.siemens.com/cs/ww/en/view/109780500) or later version See further recommendations from section "Workarounds and Mitigations" - Download: Update is only available via Siemens Support contact * SCALANCE S623 - Affected versions: All versions < V4.1 - Remediation: Update to V4.1 Migrate to a successor product within the SCALANCE SC-600 family, V2.1 ( https://support.industry.siemens.com/cs/ww/en/view/109780500) or later version See further recommendations from section "Workarounds and Mitigations" - Download: Update is only available via Siemens Support contact * SCALANCE S627-2M - Affected versions: All versions < V4.1 - Remediation: Update to V4.1 Migrate to a successor product within the SCALANCE SC-600 family, V2.1 ( https://support.industry.siemens.com/cs/ww/en/view/109780500) or later version See further recommendations from section "Workarounds and Mitigations" - Download: Update is only available via Siemens Support Contact * SIMATIC CP 343-1 Advanced (6GK7343-1GX31-0XE0) - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC CP 443-1 (6GK7443-1EX30-0XE0) - Affected versions: All versions < V3.3 - Remediation: Update to V3.3 or later version See recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109817938/ * SIMATIC CP 443-1 (6GK7443-1EX30-0XE1) - Affected versions: All versions < V3.3 - Remediation: Update to V3.3 or later version See recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109817938/ * SIMATIC CP 443-1 Advanced (6GK7443-1GX30-0XE0) - Affected versions: All versions < V3.3 - Remediation: Update to V3.3 or later version See recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109817938/ * SIMATIC CP 443-1 OPC UA (6GK7443-1UX00-0XE0) - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIMATIC CP 1623 (6GK1162-3AA00) - Affected versions: All versions < V14.00.15.00_51.25.00.01 - Remediation: The updated firmware is contained in SIMATIC NET PC Software V14 Update 14 or later version or SIMATIC NET PC Software V16 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109775589/ * SIMATIC CP 1626 (6GK1162-6AA01) - Affected versions: All versions < V1.1.1 - Remediation: Update to V1.1.1 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109792924/ * SIMATIC CP 1628 (6GK1162-8AA00) - Affected versions: All versions < V14.00.15.00_51.25.00.01 - Remediation: Update to SIMATIC NET PC Software V16 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109775589/ * SIPLUS NET CP 343-1 Advanced (6AG1343-1GX31-4XE0) - Affected versions: All versions - Remediation: Currently no fix is planned See recommendations from section "Workarounds and Mitigations" * SIPLUS NET CP 443-1 (6AG1443-1EX30-4XE0) - Affected versions: All versions < V3.3 - Remediation: Update to V3.3 or later version See recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109817938/ * SIPLUS NET CP 443-1 Advanced (6AG1443-1GX30-4XE0) - Affected versions: All versions < V3.3 - Remediation: Update to V3.3 or later version See recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109817938/ * SIPLUS NET IE/PB link PN IO (6AG1411-5AB10-2AA0) - Affected versions: All versions < V4.0.1 - Remediation: Update to V4.0.1 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109780330/ * SIPLUS TIM 1531 IRC (6AG1543-1MX00-7XE0) - Affected versions: All versions < V2.0 - Remediation: Update to V2.0 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109774204/ * TIM 1531 IRC (6GK7543-1MX00-0XE0) - Affected versions: All versions < V2.0 - Remediation: Update to V2.0 or later version See further recommendations from section "Workarounds and Mitigations" - Download: https://support.industry.siemens.com/cs/ww/en/view/109774204/ WORKAROUNDS AND MITIGATIONS =========================== Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk: * Disable SNMP if supported by the product; disabling SNMP fully mitigates the vulnerability * Protect network access to port 161/udp of affected devices * Use VPN for protecting network communication between cells Product-specific remediations or mitigations can be found in the section "Affected Products and Solution". Please follow the "General Security Recommendations". GENERAL SECURITY RECOMMENDATIONS ================================ As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial- security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity PRODUCT DESCRIPTION =================== SIMATIC CP 1623, CP 1626 and CP 1628 are PCI express cards for connection to Industrial Ethernet. IE/PB link PN IO is a gateway between Industrial Ethernet and PROFIBUS. SCALANCE S-600 devices (S602, S612, S623, S627-2M) are used to protect trusted industrial networks from untrusted networks. The S-600 devices are superseded by the SCALANCE SC-600 devices (SC622-2C, SC632-2C, SC636-2C, SC642-2C, SC646-2C), or the SCALANCE S615. SIMATIC CP 343-1 and CP 443-1 are communication processors (CP) designed to enable Ethernet communication for SIMATIC S7-300/S7-400 CPUs. SIPLUS extreme products are designed for reliable operation under extreme conditions and are based on SIMATIC, LOGO!, SITOP, SINAMICS, SIMOTION, SCALANCE or other devices. SIPLUS devices use the same firmware as the product they are based on. TIM 1531 IRC is a communication module for SIMATIC S7-1500, S7-400, S7-300 with SINAUT ST7, DNP3 and IEC 60870-5-101/104 with three RJ45 interfaces for communication via IP-based networks (WAN / LAN) and a RS 232/RS 485 interface for communication via classic WAN networks. VULNERABILITY CLASSIFICATION ============================ The vulnerability classification has been performed by using the CVSS scoring system in version 3.1 (CVSS v3.1) (https://www.first.org/cvss/). The CVSS environmental score is specific to the customer's environment and will impact the overall CVSS score. The environmental score should therefore be individually defined by the customer to accomplish final scoring. An additional classification has been performed using the CWE classification, a community-developed list of common software security weaknesses. This serves as a common language and as a baseline for weakness identification, mitigation, and prevention efforts. A detailed list of CWE classes can be found at: https://cwe.mitre.org/. * Vulnerability CVE-2015-5621 An error in the message handling of SNMP messages allows remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted packet sent on port 161/udp (SNMP). The security vulnerability could be exploited by an attacker with network access to the affected device. Successful exploitation requires no system privileges and no user interaction. An attacker could use the vulnerability to compromise availability of the affected system. CVSS v3.1 Base Score: 7.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C CWE: CWE-20: Improper Input Validation * Vulnerability CVE-2018-18065 A NULL Pointer Exception bug within the SMNP handling code allows authenticated attacker to remotely cause a denial of service via a crafted packet sent on port 161/udp (SNMP). The security vulnerability could be exploited by an attacker with network access to the affected device. Successful exploitation requires no system privileges and no user interaction. An attacker could use the vulnerability to compromise availability of the affected system. CVSS v3.1 Base Score: 6.5 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C CWE: CWE-476: NULL Pointer Dereference ACKNOWLEDGMENTS =============== Siemens thanks the following party for its efforts: * Artem Zinenko from Kaspersky Lab for coordinated disclosure ADDITIONAL INFORMATION ====================== For SCALANCE S-600 family (S602, S612, S623, S627-2M): migrate to a successor product within the SCALANCE SC-600 family, V2.1 ( https://support.industry.siemens.com/cs/ww/en/view/109780500) or later version. For details refer to the notice of discontinuation (https://support.industry.siemens.com/cs/ww/en/view/109756957). For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories HISTORY DATA ============ V1.0 (2020-02-11): Publication Date V1.1 (2020-07-14): Added solution for IE/PB LINK PN IO V1.2 (2020-08-11): Informed about successor products for the SCALANCE S-600 family V1.3 (2021-02-09): Added solution for SIMATIC NET CP 1626 V1.4 (2021-04-13): Added solution for SCALANCE S602, SCALANCE S612, SCALANCE S623, and SCALANCE S627-2M V1.5 (2022-02-08): No remediation planned for SIMATIC CP 443-1 OPC UA, SIMATIC CP 343-1 Advanced, SIPLUS NET CP 343-1 Advanced V1.6 (2022-04-12): Updated remediation for SIMATIC CP 1623 V1.7 (2022-06-14): No fix planned for SIMATIC CP 343-1 Advanced V1.8 (2023-04-11): Added fix for SIMATIC CP 443-1 and CP 443-1 Advanced TERMS OF USE ============ Siemens Security Advisories are subject to the terms and conditions contained in Siemens' underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter "License Terms"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens' Global Website (https://www.siemens.com/terms_of_use, hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use. Copyright: Siemens 2023 -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEHyx/myPwjH9jB9tDlm7gTEmyujQFAmQ0owAACgkQlm7gTEmy ujR/vRAA0fujPC2eBGEL+EYrR8EkrN93k+ixON0eqrxmPUokTr4jDv9ef8UhmOIB x5Kqwyac+39epAWKk4uIW/HRQUROGJH905Kvd8hIKMPOE94yIggEK/E8mZiI2z5W v812rUUuvWF/knAxR+hOslmcoTxBxCzonFjTlJIYsFU1zCHHxugdA7Q6i2B3F8M5 O3yp00rUZPTSzQv0M9b5he+XmbJ3IhGoXSLJNyZ7R1Mt6e2edOFPNr5ZM28ldi5C 9vi5O/vSw2s4Sa6q1V75/H0dSi0zrOmGMbbfd5bjkZEc07hRvXyJEBS9b5QwvNh6 XRuhDxEYNoSbdNDw3xf/sfq3npbJItKHwSOQRhZgAPuSPwfEFH5F8BJfzKmxGyuV UDjlOi9tUg1qT4KsqzE9o8SjBuQMsGT11dBlWr4UBKofkoGtaAaLKLEX5OQYxqpf XK+fr334bPKdVyxlNluKtTvJxe/zCE6C2fooDdymrOy26g07/fllT3bUePOC03TH XX72u4BhbAiOpgQG9sFSEZbzfmfcPHuDVv4DEFXCm4lmE9Ivs9siSeTCojF+IRpK 8wAKHMCTlppghl6CdaWhQjXQglC6xGFTDeb+r3ORSdgegwhS/t8eqvlXh/N2C/wG n7UTaygdVuccls2k32f2W714qWz69RQ2cGoRbGqzj1zY2AJF9Gk= =lDDy -----END PGP SIGNATURE-----