CVE-2022-43768

Q: What is the severity of CVE-2022-43768?

CVE-2022-43768 has a CVSS score of 7.5 (HIGH). A denial-of-service vulnerability exists in the webserver of multiple Siemens SIMATIC communication processors. Attackers can crash the webserver component, disrupting web-based management interfaces. This affects industrial control system components used in critical infrastructure and manufacturing environments.

7.5 HIGH

Denial of Service

📋 TL;DR

A denial-of-service vulnerability exists in the webserver of multiple Siemens SIMATIC communication processors. Attackers can crash the webserver component, disrupting web-based management interfaces. This affects industrial control system components used in critical infrastructure and manufacturing environments.

💻 Affected Systems

Products:

SIMATIC CP 1242-7 V2
SIMATIC CP 1243-1
SIMATIC CP 1243-1 DNP3
SIMATIC CP 1243-1 IEC
SIMATIC CP 1243-7 LTE EU
SIMATIC CP 1243-7 LTE US
SIMATIC CP 1243-8 IRC
SIMATIC CP 1542SP-1
SIMATIC CP 1542SP-1 IRC
SIMATIC CP 1543SP-1
SIMATIC CP 443-1
SIMATIC CP 443-1 Advanced
SIPLUS ET 200SP CP 1542SP-1 IRC TX RAIL
SIPLUS ET 200SP CP 1543SP-1 ISEC
SIPLUS ET 200SP CP 1543SP-1 ISEC TX RAIL
SIPLUS NET CP 1242-7 V2
SIPLUS NET CP 443-1
SIPLUS NET CP 443-1 Advanced
SIPLUS S7-1200 CP 1243-1
SIPLUS S7-1200 CP 1243-1 RAIL
SIPLUS TIM 1531 IRC
TIM 1531 IRC

Versions: All versions below specified thresholds (V3.4.29 for CP 124x series, V2.3 for CP 154x series, V3.3 for CP 443 series, V2.3.6 for TIM 1531 IRC)

Operating Systems: Embedded firmware on Siemens industrial devices

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability is in the webserver component; devices with web interface enabled are vulnerable regardless of other configuration settings.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete loss of web-based management capabilities, requiring physical access to restore functionality, potentially disrupting industrial operations.

🟠

Likely Case

Temporary unavailability of web management interface until device restart, causing operational inconvenience but not affecting core control functions.

🟢

If Mitigated

Minimal impact if web interface is disabled or network access is restricted, with core PLC communication remaining functional.

🌐 Internet-Facing: HIGH - Directly exposed devices are vulnerable to simple DoS attacks from anywhere on the internet.

🏢 Internal Only: MEDIUM - Internal attackers or malware could disrupt management interfaces, but core control functions typically remain operational.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Based on CVSS score and description, exploitation appears straightforward for attackers with network access to the webserver.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: V3.4.29 for CP 124x series, V2.3 for CP 154x series, V3.3 for CP 443 series, V2.3.6 for TIM 1531 IRC

Vendor Advisory: https://cert-portal.siemens.com/productcert/html/ssa-139628.html

Restart Required: Yes

Instructions:

1. Download firmware update from Siemens Industry Online Support. 2. Backup device configuration. 3. Apply firmware update via TIA Portal or appropriate programming software. 4. Restart device. 5. Verify web interface functionality.

🔧 Temporary Workarounds

Disable Web Interface

all

Disable the webserver component if web management is not required

Configure via TIA Portal or device configuration tool to disable HTTP/HTTPS services

Network Segmentation

all

Restrict network access to web interface using firewalls or VLANs

Add firewall rules to block external access to TCP ports 80/443 on affected devices

🧯 If You Can't Patch

Implement strict network segmentation to isolate affected devices from untrusted networks
Disable web interface entirely and use alternative management methods (TIA Portal, console)

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via TIA Portal Project > Online & Diagnostics > Online access > Firmware version

Check Version:

No CLI command; use TIA Portal or device web interface to check firmware version

Verify Fix Applied:

Verify firmware version is at or above patched version and test web interface functionality

📡 Detection & Monitoring

Log Indicators:

Webserver crash logs
Repeated connection attempts to web interface
Unusual traffic patterns to device web ports

Network Indicators:

Multiple HTTP requests to device web interface followed by service unavailability
Port scanning activity targeting industrial device web ports

SIEM Query:

source="industrial-firewall" dest_port IN (80,443) AND dest_ip IN (affected_device_ips) AND event_count > threshold

📊 Metadata

CVE ID: CVE-2022-43768

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

Published: April 11, 2023

Last Updated: November 21, 2024

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Simatic Cp 1242 7 V2 Firmware by Siemens

Simatic Cp 1243 1 Dnp3 Firmware by Siemens

Simatic Cp 1243 1 Firmware by Siemens

Simatic Cp 1243 1 Iec Firmware by Siemens

Simatic Cp 1243 7 Lte Eu Firmware by Siemens

Simatic Cp 1243 7 Lte Us Firmware by Siemens

Simatic Cp 1243 8 Irc Firmware by Siemens

Simatic Cp 1542sp 1 Firmware by Siemens

Simatic Cp 1542sp 1 Irc Firmware by Siemens

Simatic Cp 1543sp 1 Firmware by Siemens

Simatic Cp 443 1 Advanced Firmware by Siemens

Simatic Cp 443 1 Firmware by Siemens

Simatic Ipc Diagbase Firmware by Siemens

Simatic Ipc Diagmonitor Firmware by Siemens

Siplus Et 200sp Cp 1542sp 1 Irc Tx Rail Firmware by Siemens

Siplus Et 200sp Cp 1543sp 1 Isec Firmware by Siemens

Siplus Et 200sp Cp 1543sp 1 Isec Tx Rail Firmware by Siemens

Siplus Net Cp 1242 7 V2 Firmware by Siemens

Siplus Net Cp 443 1 Advanced Firmware by Siemens

Siplus Net Cp 443 1 Firmware by Siemens

Siplus S7 1200 Cp 1243 1 Firmware by Siemens

Siplus S7 1200 Cp 1243 1 Rail Firmware by Siemens

Siplus Tim 1531 Irc Firmware by Siemens

Tim 1531 Irc Firmware by Siemens