Vulnerability identifier: #VU13572

Vulnerability risk: Low

CVSSv3.1: 3.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:U/RC:C]

CVE-ID: CVE-2018-4856

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
SICLOCK TC400
Client/Desktop applications / Other client software
SICLOCK TC100
Client/Desktop applications / Other client software

Vendor: Siemens

Description

Mitigation
Siemens has identified the following specific workarounds and mitigations that customers can apply to
reduce the risk:
• Provide redundant time sources and implement plausibility checks for the time information in critical
plant controllers.
• Protect network access to the affected devices with appropriate measures, e.g. protect SICLOCK
TC devices with firewalls to reduce the risk.
It is recommended to filter traffic to all ports excluding those needed for time synchronization. If
time synchronization is performed using NTP, then port 123/udp must be opened on the firewall. If
time synchronization is performed using SIMATIC time synchronization, then port 22223/udp and
port 22224/udp must be opened on the firewall.
For configuring parameters, it is recommended to use a direct connection to the SICLOCK TC.
• Apply the cell protection concept,  and apply defense-in-depth:  https://www.siemens.com/cert/
operational-guidelines-industrial-security

Vulnerable software versions

SICLOCK TC400: All versions

SICLOCK TC100: All versions

---

External links
http://cert-portal.siemens.com/productcert/pdf/ssa-197012.pdf

---

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.