Full Report
Several SIMATIC CP devices contain direct memory access vulnerabilities that could allow an attacker to execute code, access the PROFINET network without restrictions or perform denial of service attacks. Siemens recommends specific countermeasures for products where updates are not, or not yet available.
Analysis Summary
# Vulnerability: Direct Memory Access Flaws in SIMATIC CP Devices
## CVE Details
- CVE ID: CVE-2023-37194, CVE-2023-37195
- CVSS Score: 6.7 (High) for CVE-2023-37194; 4.4 (Medium) for CVE-2023-37195
- CWE: CWE-284: Improper Access Control (CVE-2023-37194); CWE-400: Uncontrolled Resource Consumption (CVE-2023-37195)
## Affected Systems
- Products: SIMATIC CP 1604, SIMATIC CP 1616, SIMATIC CP 1623, SIMATIC CP 1626, SIMATIC CP 1628
- Versions: All versions
- Configurations: Requires local attacker with administrative privileges for exploitation.
## Vulnerability Description
These vulnerabilities stem from flaws in how Direct Memory Access (DMA) is handled by the affected SIMATIC CP devices, which function as Industrial Ethernet connection cards (PCI express or PCI/PCI-104).
1. **CVE-2023-37194 (Code Execution/Access Control):** The kernel memory is exposed to user-mode via DMA. This allows a local attacker with administrative privileges to execute arbitrary code on the host system without restrictions.
2. **CVE-2023-37195 (Denial of Service):** The devices insufficiently control continuous mapping of DMA requests. This can cause a denial of service condition on the host system, requiring a physical power cycle to recover.
## Exploitation
- Status: PoC available (Note: E:P indicates Proof-of-Concept code exists, RL:O defined as Official Fix/Patch available, RC:C defined as Component confirmed)
- Complexity: Low (for the technical execution, though administrative prerequisites exist)
- Attack Vector: Local (AV:L listed in CVSS vector)
## Impact
| Vulnerability | Confidentiality | Integrity | Availability |
| :--- | :--- | :--- | :--- |
| CVE-2023-37194 | High | High | High |
| CVE-2023-37195 | No Impact | No Impact | High |
(Note: The high impact on C/I/A for CVE-2023-37194 aligns with the description of unrestricted code execution and access to the PROFINET network.)
## Remediation
### Patches
- **No specific fixes are currently planned** for any of the listed affected products (CP 1604, CP 1616, CP 1623, CP 1626, CP 1628). Customers must rely on workarounds.
### Workarounds
1. **Restrict Access:** Ensure that only trusted persons have access to the system.
2. **Limit Admin Rights:** Avoid the configuration of additional accounts with administrator rights.
3. **Network Protection:** Apply appropriate mechanisms to protect network access to the devices.
4. **Follow Guidelines:** Configure the environment according to Siemens' operational guidelines for Industrial Security and recommendations in product manuals.
## Detection
- The advisory does not specify explicit IOCs related to network traffic or logs, as the vulnerabilities primarily require local, administrative access to trigger DMA manipulation.
- **Detection methods** should focus on monitoring host systems for unauthorized attempts to manipulate DMA resources or unexpected system instability/crashes requiring physical reboot (indicative of CVE-2023-37195). Audit administrative account usage strictly.
## References
- Vendor Advisories: Siemens SSA-784849
- Relevant links - defanged:
- hxxps://cert-portal.siemens.com/productcert/html/ssa-784849.html
- hxxps://www.siemens.com/cert/operational-guidelines-industrial-security
- hxxps://www.siemens.com/industrialsecurity
- hxxps://www.siemens.com/cert/advisories