CVE-2022-43716

Q: What is the severity of CVE-2022-43716?

CVE-2022-43716 has a CVSS score of 7.5 (HIGH). A denial-of-service vulnerability in the webserver of multiple Siemens SIMATIC communication processors allows attackers to crash the webserver, causing it to restart. This affects industrial control systems using vulnerable versions of these communication modules. The vulnerability stems from a use-after-free issue (CWE-416) in the webserver component.

7.5 HIGH

Denial of Service

📋 TL;DR

A denial-of-service vulnerability in the webserver of multiple Siemens SIMATIC communication processors allows attackers to crash the webserver, causing it to restart. This affects industrial control systems using vulnerable versions of these communication modules. The vulnerability stems from a use-after-free issue (CWE-416) in the webserver component.

💻 Affected Systems

Products:

SIMATIC CP 1242-7 V2
SIMATIC CP 1243-1
SIMATIC CP 1243-1 DNP3
SIMATIC CP 1243-1 IEC
SIMATIC CP 1243-7 LTE EU
SIMATIC CP 1243-7 LTE US
SIMATIC CP 1243-8 IRC
SIMATIC CP 1542SP-1
SIMATIC CP 1542SP-1 IRC
SIMATIC CP 1543SP-1
SIMATIC CP 443-1
SIMATIC CP 443-1 Advanced
SIPLUS ET 200SP CP 1542SP-1 IRC TX RAIL
SIPLUS ET 200SP CP 1543SP-1 ISEC
SIPLUS ET 200SP CP 1543SP-1 ISEC TX RAIL
SIPLUS NET CP 1242-7 V2
SIPLUS NET CP 443-1
SIPLUS NET CP 443-1 Advanced
SIPLUS S7-1200 CP 1243-1
SIPLUS S7-1200 CP 1243-1 RAIL
SIPLUS TIM 1531 IRC
TIM 1531 IRC

Versions: All versions below: CP 124x: V3.4.29, CP 154x: V2.3, CP 443-1: V3.3, TIM 1531 IRC: V2.3.6

Operating Systems: Embedded firmware on Siemens communication processors

Default Config Vulnerable: ⚠️ Yes

Notes: All affected products with webserver enabled are vulnerable in default configurations. The vulnerability is in the webserver component specifically.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Persistent denial-of-service attacks could render the webserver unavailable, disrupting web-based monitoring and configuration interfaces, potentially affecting operational visibility and maintenance capabilities.

🟠

Likely Case

Temporary disruption of the webserver interface requiring manual restart or waiting for automatic recovery, impacting web-based management functions but not core PLC/control functionality.

🟢

If Mitigated

Minimal impact with proper network segmentation and access controls limiting exposure to trusted networks only.

🌐 Internet-Facing: HIGH if devices are directly exposed to the internet, as unauthenticated attackers could trigger the DoS condition.

🏢 Internal Only: MEDIUM as internal attackers or malware could exploit the vulnerability to disrupt management interfaces.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires network access to the webserver port (typically TCP 80/443) but no authentication. Exploitation likely involves sending specially crafted HTTP requests.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: CP 124x: V3.4.29 or later, CP 154x: V2.3 or later, CP 443-1: V3.3 or later, TIM 1531 IRC: V2.3.6 or later

Vendor Advisory: https://cert-portal.siemens.com/productcert/html/ssa-139628.html

Restart Required: Yes

Instructions:

1. Download firmware updates from Siemens Industrial Online Support
2. Backup current configuration
3. Apply firmware update following Siemens documentation
4. Verify successful update and restore configuration if needed
5. Test functionality

🔧 Temporary Workarounds

Network Segmentation

all

Restrict access to webserver interfaces to trusted networks only using firewalls or network segmentation.

Disable Unused Webserver

all

If web interface is not required for operations, disable the webserver functionality.

🧯 If You Can't Patch

Implement strict network access controls to limit webserver access to authorized personnel only
Monitor for webserver restart events and implement compensating detection controls

🔍 How to Verify

Check if Vulnerable:

Check firmware version via TIA Portal, Web Interface, or device display against affected version ranges.

Check Version:

Via TIA Portal: Online & Diagnostics > Functions > Firmware update, or via web interface: System Information

Verify Fix Applied:

Confirm firmware version is at or above patched versions: CP 124x ≥ V3.4.29, CP 154x ≥ V2.3, CP 443-1 ≥ V3.3, TIM 1531 IRC ≥ V2.3.6

📡 Detection & Monitoring

Log Indicators:

Webserver restart events
Unexpected webserver crashes
Multiple failed connection attempts to webserver

Network Indicators:

Unusual HTTP traffic patterns to device webserver ports
Multiple rapid HTTP requests from single source

SIEM Query:

source="industrial_device" AND (event="webserver_restart" OR event="service_crash")

📊 Metadata

CVE ID: CVE-2022-43716

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-416

Published: April 11, 2023

Last Updated: November 21, 2024

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Simatic Cp 1242 7 V2 Firmware by Siemens

Simatic Cp 1243 1 Dnp3 Firmware by Siemens

Simatic Cp 1243 1 Firmware by Siemens

Simatic Cp 1243 1 Iec Firmware by Siemens

Simatic Cp 1243 7 Lte Eu Firmware by Siemens

Simatic Cp 1243 7 Lte Us Firmware by Siemens

Simatic Cp 1243 8 Irc Firmware by Siemens

Simatic Cp 1542sp 1 Firmware by Siemens

Simatic Cp 1542sp 1 Irc Firmware by Siemens

Simatic Cp 1543sp 1 Firmware by Siemens

Simatic Cp 443 1 Advanced Firmware by Siemens

Simatic Cp 443 1 Firmware by Siemens

Simatic Ipc Diagbase Firmware by Siemens

Simatic Ipc Diagmonitor Firmware by Siemens

Siplus Et 200sp Cp 1542sp 1 Irc Tx Rail Firmware by Siemens

Siplus Et 200sp Cp 1543sp 1 Isec Firmware by Siemens

Siplus Et 200sp Cp 1543sp 1 Isec Tx Rail Firmware by Siemens

Siplus Net Cp 1242 7 V2 Firmware by Siemens

Siplus Net Cp 443 1 Advanced Firmware by Siemens

Siplus Net Cp 443 1 Firmware by Siemens

Siplus S7 1200 Cp 1243 1 Firmware by Siemens

Siplus S7 1200 Cp 1243 1 Rail Firmware by Siemens

Siplus Tim 1531 Irc Firmware by Siemens

Tim 1531 Irc Firmware by Siemens