Full Report
Several industrial products are affected by a vulnerability that could allow remote attackers to conduct a denial of service attack by sending specially crafted packets to port 161/udp (SNMP). Siemens has released updates for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for products where updates are not, or not yet available.
Analysis Summary
# Vulnerability: SNMP Denial of Service in Siemens Industrial Products
## CVE Details
- **CVE ID:** CVE-2019-13945
- **CVSS Score:** 7.5 (High) -> *Note: The advisory also mentions a score of 6.5 for specific contexts, but the base score for the vulnerability is 7.5.*
- **CWE:** CWE-476: NULL Pointer Dereference
## Affected Systems
- **Products:**
- IE/PB Link PN IO
- SCALANCE S602, S612, S623, S627-2M
- SIMATIC CP 343-1 Advanced
- SIMATIC CP 443-1 (Standard, Advanced, and OPC UA)
- SIMATIC CP 1623 and CP 1626
- **Versions:**
- IE/PB link PN IO: All versions < V4.0.1
- SCALANCE S600 series: All versions < V4.1
- SIMATIC CP 443-1/Advanced: All versions < V3.3
- SIMATIC CP 1623: All versions < V14.00.15.00_51.25.00.01
- **Configurations:** Systems where SNMP is enabled and port 161/udp is accessible.
## Vulnerability Description
A vulnerability exists in the SNMP implementation of several Siemens industrial products due to a NULL pointer dereference. By sending specially crafted SNMP packets to port 161/udp, a remote attacker can trigger a crash of the affected device's communication functions, leading to a Denial of Service (DoS) condition.
## Exploitation
- **Status:** PoC available (Exploit code maturity marked as "P" in CVSS vector)
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** High (Device rendered unresponsive or network communication interrupted)
## Remediation
### Patches
- **IE/PB link PN IO:** Update to V4.0.1 or later.
- **SCALANCE S602/S612/S623/S627-2M:** Update to V4.1 (Contact Siemens Support) or migrate to SCALANCE SC-600 family V2.1+.
- **SIMATIC CP 443-1 & Advanced:** Update to V3.3 or later.
- **SIMATIC CP 1623:** Update via SIMATIC NET PC Software V14 SP1 Update 14 (or later).
- **SIMATIC CP 1626:** Update to V1.1 or later.
### Workarounds
- **Disable SNMP:** If not required, disable the SNMP service in the device configuration to close port 161/udp.
- **Network Filtering:** Use external firewalls to restrict access to port 161/udp to only authorized management stations.
- **Micro-segmentation:** Implement the "Cell protection" concept by using industrial security modules (e.g., SCALANCE S) to protect vulnerable components.
## Detection
- **Indicators of Compromise:** Unexpected device reboots or loss of network connectivity coinciding with unusual traffic on UDP port 161.
- **Detection methods:** Use Intrusion Detection Systems (IDS) to monitor for malformed SNMP packets or repeated connection attempts from unauthorized IPs to the device's SNMP port.
## References
- **Vendor Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/html/ssa-978220[.]html
- **Support Links:**
- hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/109780330/
- hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/109817938/
- **Siemens ProductCERT:** hxxps://www[.]siemens[.]com/cert/advisories