Full Report
The below referenced devices contain multiple vulnerabilities that could be exploited when the SINEMA Remote Connect Server (SRCS) VPN feature is used. The feature is not activated by default. The most severe could allow an attacker to execute arbitrary code with elevated privileges under certain circumstances. Siemens has released updates for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in the SRCS VPN Feature in SIMATIC CP Devices
## CVE Details
- **CVE ID:** CVE-2022-34819, CVE-2022-34820, CVE-2022-34821
- **CVSS Score:**
- CVE-2022-34819: 10.0 (Critical)
- CVE-2022-34820: 8.4 (High)
- CVE-2022-34821: 7.6 (High)
- **CWE:** CWE-122 (Heap-based Buffer Overflow), CWE-77 (Command Injection), CWE-94 (Code Injection)
## Affected Systems
- **Products:**
- SIMATIC CP 1242-7 V2
- SIPLUS NET CP 1242-7 V2
- SIPLUS NET CP 1543-1
- SIPLUS S7-1200 CP 1243-1 (including RAIL variants)
- SIMATIC CP 1243-7 LTE, CP 1243-8 IRC, CP 1542SP-1 IRC, and CP 1543SP-1 (as implied by update history).
- **Versions:**
- CP 1242-7 V2: All versions < V2.2.28
- SIPLUS NET CP 1242-7 V2 / CP 1243-1: All versions < V3.3.46
- SIPLUS NET CP 1543-1: All versions < V3.0.22
- **Configurations:** Vulnerabilities specifically affect devices where the **SINEMA Remote Connect Server (SRCS) VPN feature** is enabled. This feature is not activated by default.
## Vulnerability Description
The vulnerabilities exist within the implementation of the SRCS VPN feature:
1. **CVE-2022-34819:** Lack of proper validation when parsing specific messages leads to a heap-based buffer overflow, potentially allowing arbitrary code execution.
2. **CVE-2022-34820:** Failure to correctly escape user-provided fields during authentication allows for command injection.
3. **CVE-2022-34821:** Improper control of OpenVPN configuration options allows an attacker to inject code and execute it with elevated privileges.
## Exploitation
- **Status:** PoC available (CVSS Exploit Code Maturity: Functional/Proven). No confirmed reports of exploitation in the wild at the time of the advisory.
- **Complexity:** Low (CVE-2022-34819/34820) to High (CVE-2022-34821).
- **Attack Vector:** Network (CVE-2022-34819) or Adjacent (CVE-2022-34820/34821).
## Impact
- **Confidentiality:** High (Full access to device data)
- **Integrity:** High (Ability to modify system settings/firmware)
- **Availability:** High (Potential for total device denial of service)
## Remediation
### Patches
- **SIMATIC CP 1242-7 V2:** Update to V2.2.28 or later.
- **SIPLUS NET CP 1242-7 V2 / CP 1243-1:** Update to V3.3.46 or later.
- **SIPLUS NET CP 1543-1:** Update to V3.0.22 or later.
### Workarounds
- **Disable Feature:** Turn off the SINEMA Remote Connect Server (SRCS) VPN feature if not required.
- **Network Filtering:** Block access to port **5243/udp** via an external firewall.
- **Trust Management:** Ensure the CP is configured to connect only to trusted SRCS instances.
## Detection
- **Indicators of Compromise:** Monitor for unusual traffic on UDP port 5243 or unauthorized configuration changes in OpenVPN settings.
- **Detection methods and tools:** Use SIEM/IDS to monitor for unexpected outbound connections from PLC communication modules to unknown remote servers.
## References
- **Vendor Advisory:** hxxps://cert-portal.siemens[.]com/productcert/html/ssa-517377.html
- **Siemens Operational Guidelines:** hxxps://www.siemens[.]com/cert/operational-guidelines-industrial-security
- **Support Links:**
- hxxps://support.industry.siemens[.]com/cs/ww/en/view/109817067/
- hxxps://support.industry.siemens[.]com/cs/ww/en/view/109812218