Full Report
There are multiple vulnerabilities in an underlying Link Layer Discovery Protocol (LLDP) third party library. Siemens has released updates for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Multiple LLDP Vulnerabilities in Siemens Industrial Products
## CVE Details
- **CVE ID:** CVE-2015-8011
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-120 (Buffer Copy without Checking Size of Input)
- **CVE ID:** CVE-2020-27827
- **CVSS Score:** 7.5 (High)
- **CWE:** CWE-400 (Uncontrolled Resource Consumption)
## Affected Systems
- **Products:** SIMATIC CP 1243-1, CP 1243-8 IRC, CP 1542SP-1 (including IRC and Rail variants), CP 1543-1, CP 1543SP-1 (including ISEC and Rail variants), CP 1545-1, SIMATIC HMI Unified Comfort Panels, and SINUMERIK ONE MCP.
- **Versions:**
- CP 1243-1 & 1243-8 IRC: < V3.3.46
- CP 1542SP-1 & 1543SP-1 variants: < V2.2.28
- CP 1543-1: < V3.0
- CP 1545-1: < V1.1
- HMI Unified Comfort Panels: < V17
- SINUMERIK ONE MCP: < V2.0.1
- **Configurations:** Systems with Link Layer Discovery Protocol (LLDP) enabled.
## Vulnerability Description
These vulnerabilities exist in a third-party library used for LLDP:
- **CVE-2015-8011:** A classic buffer overflow in the `lldp_decode` function. It occurs when handling large management addresses and TLV (Type-Length-Value) boundaries, potentially allowing for memory corruption.
- **CVE-2020-27827:** A memory leak flaw triggered by specially crafted LLDP packets during the allocation of data for optional TLVs. Over time, this results in resource exhaustion.
## Exploitation
- **Status:** Not exploited (CVE-2015-8011: Understated/Unused; CVE-2020-27827: Proof-of-concept available/Functional).
- **Complexity:** Low
- **Attack Vector:** Network (Note: Protocols like LLDP are typically limited to the local link/adjacent layer, but the CVSS identifies the vector as "Network").
## Impact
- **Confidentiality:** High (CVE-2015-8011)
- **Integrity:** High (CVE-2015-8011)
- **Availability:** High (Both CVEs; can cause daemon crashes or system-wide denial of service).
## Remediation
### Patches
- **CP 1243-1 / CP 1243-8 IRC:** Update to V3.3.46 or later.
- **CP 1542SP-1 / CP 1543SP-1 variants:** Update to V2.2.28 or later.
- **CP 1543-1:** Update to V3.0 or later.
- **CP 1545-1:** Update to V1.1 or later.
- **HMI Unified Comfort Panels:** Update to V17 or later.
- **SINUMERIK ONE MCP:** Update to V2.0.1 (Contact Siemens representative).
### Workarounds
- **Disable LLDP:** If the protocol is not required for network topology discovery, disabling it prevents the attack surface from being reachable.
- **Defense in Depth:** Ensure the industrial environment follows the Siemens "Operational Integrity" concept, restricting physical and logical access to the internal network.
## Detection
- **Indicators of Compromise:** Unexpected crashes of the LLDP daemon or communication modules; unexplained memory exhaustion on affected hardware.
- **Detection methods and tools:** Monitor for unusual LLDP traffic containing abnormally large management address strings or high frequencies of optional TLVs using network intrusion detection systems (NIPS).
## References
- **Vendor Advisory:**
- hxxps://cert-portal.siemens[.]com/productcert/pdf/ssa-941426.pdf
- hxxps://www.siemens[.]com/cert/advisories
- **Technical Links:**
- hxxps://cwe.mitre[.]org/data/definitions/120.html
- hxxps://cwe.mitre[.]org/data/definitions/400.html