Input validation error in Siemens Hardware solutions

#VU21932 Input validation error in Siemens Hardware solutions

Published: 2019-10-18

Vulnerability identifier: #VU21932

Vulnerability risk: Medium

CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2019-10923

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vendor: Siemens

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can send a specially crafted packet, break the real-time synchronization of the affected installation and cause a denial-of-service condition on the target system.

Mitigation

Install updates from vendor's website for the following vulnerable products:

CP1604/CP1616: All versions prior to 2.8
Development/Evaluation Kits for PROFINET IO:
- DK Standard Ethernet Controller: All versions prior to 4.1.1 Patch 05
- EK-ERTEC 200: All versions prior to 4.5.0 Patch 01
- EK-ERTEC 200P: All versions prior to 4.5.0
SCALANCE X-200IRT: All versions prior to 5.2.1
SIMATIC ET 200M: All versions
SIMATIC ET 200S: All versions
SIMATIC ET 200ecoPN (except 6ES7148-6JD00-0AB0 and 6ES7146-6FF00-0AB0): All versions
SIMATIC ET 200pro: All versions
SIMATIC PN/PN Coupler 6ES7158-3AD01-0XA0: All versions
SIMATIC S7-300 CPU family (incl. F): All versions
SIMATIC S7-400 (incl. F) v6 and below: All versions
SIMATIC S7-400 PN/DP v7 (incl. F): All versions
SIMATIC WinAC RTX (F) 2010: All versions prior to SP3
SIMOTION: All versions
SINAMICS DCM: All versions prior to 1.5 HF1
SINAMICS DCP: All versions
SINAMICS G110M v4.7 (Control Unit): All versions prior to 4.7 SP10 HF5
SINAMICS G120 v4.7 (Control Unit): All versions prior to 4.7 SP10 HF5
SINAMICS G130 v4.7 (Control Unit): All versions prior to 4.7 HF29
SINAMICS G150 (Control Unit): All versions prior to 4.8
SINAMICS GH150 v4.7 (Control Unit): All versions
SINAMICS GL150 v4.7 (Control Unit): All versions
SINAMICS GM150 v4.7 (Control Unit): All versions
SINAMICS S110 (Control Unit): All versions
SINAMICS S120 v4.7 (Control Unit and CBE20): All versions prior to 4.7 HF34
SINAMICS S150 (Control Unit): All versions prior to 4.8
SINAMICS SL150 v4.7 (Control Unit): All versions
SINAMICS SM120 v4.7 (Control Unit): All versions
SINUMERIK 828D: All versions prior to 4.8 SP5
SINUMERIK 840D sl: All versions

Vulnerable software versions

SINUMERIK 840D sl: All versions

SINUMERIK 828D: All versions

SINAMICS SM120: All versions

SINAMICS SL150: All versions

SINAMICS S150: All versions

SINAMICS S120: All versions

SINAMICS S110: All versions

SINAMICS GM150: All versions

SINAMICS GL150: All versions

SINAMICS GH150: All versions

SINAMICS G150: All versions

SINAMICS G130: All versions

SINAMICS G120: All versions

SINAMICS G110M: All versions

SINAMICS DCP: All versions

SINAMICS DCM: All versions

SIMOTION Firmware: All versions

SIMATIC WinAC RTX (F) 2010: All versions

SIMATIC S7-400 PN/DP V7: All versions

SIMATIC S7-400: All versions

SIMATIC S7-300: All versions

SIMATIC PN/PN Coupler: All versions

SIMATIC ET 200pro: All versions

SIMATIC ET 200ecoPN: All versions

SIMATIC ET 200S: All versions

SIMATIC ET 200M: All versions

SCALANCE X-200 IRT: All versions

CP1616: 1.0 - 2.7.2

CP1604: 1.0 - 2.7.2

External links
http://cert-portal.siemens.com/productcert/pdf/ssa-349422.pdf
http://www.us-cert.gov/ics/advisories/icsa-19-283-01

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

Latest bulletins with this vulnerability

Denial of service in Siemens Industrial Real-Time (IRT) Devices