CVE-2023-38380
📋 TL;DR
A memory leak vulnerability in the webserver of multiple Siemens SIMATIC and SIPLUS industrial communication products allows attackers with network access to cause a denial-of-service condition. This affects various CP series devices and SINAMICS S210 drives running specific vulnerable firmware versions. The issue stems from improper memory management (CWE-401) in the webserver implementation.
💻 Affected Systems
- SIMATIC CP 1242-7 V2
- SIMATIC CP 1243-1
- SIMATIC CP 1243-1 DNP3
- SIMATIC CP 1243-1 IEC
- SIMATIC CP 1243-7 LTE
- SIMATIC CP 1243-8 IRC
- SIMATIC CP 1542SP-1
- SIMATIC CP 1542SP-1 IRC
- SIMATIC CP 1543-1
- SIMATIC CP 1543SP-1
- SINAMICS S210
- SIPLUS ET 200SP CP 1542SP-1 IRC TX RAIL
- SIPLUS ET 200SP CP 1543SP-1 ISEC
- SIPLUS ET 200SP CP 1543SP-1 ISEC TX RAIL
- SIPLUS NET CP 1543-1
📦 What is this software?
Simatic Cp 1243 1 Dnp3 Firmware by Siemens
⚠️ Risk & Real-World Impact
Worst Case
An attacker could repeatedly exploit the memory leak to exhaust system resources, leading to a complete webserver crash and disruption of network communication, potentially affecting industrial operations.
Likely Case
Denial-of-service causing the webserver to become unresponsive, impacting web-based management and monitoring interfaces but not necessarily halting core device functions.
If Mitigated
With network segmentation and access controls, the impact is limited to internal, authorized users, reducing the risk of widespread disruption.
🎯 Exploit Status
Exploitation requires network access but no authentication, making it straightforward for attackers to trigger DoS via crafted requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: V3.4.29 for CP 124x series, V2.3 for CP 1542SP-1/1543SP-1, V3.0.37 for CP 1543-1, V6.1 HF2 for SINAMICS S210.
Vendor Advisory: https://cert-portal.siemens.com/productcert/html/ssa-139628.html
Restart Required: Yes
Instructions:
1. Identify affected device model and current firmware version. 2. Download the patched firmware from Siemens support portal. 3. Follow vendor-specific upgrade procedures, typically via engineering software like TIA Portal. 4. Restart the device after firmware update.
🔧 Temporary Workarounds
Network Segmentation
allRestrict network access to affected devices by placing them behind firewalls or in isolated networks to prevent unauthorized exploitation.
Disable Unnecessary Webserver Access
allIf possible, disable the webserver interface or limit its exposure to trusted management networks only.
🧯 If You Can't Patch
- Implement strict network access controls to limit traffic to affected devices from trusted sources only.
- Monitor device logs and network traffic for unusual webserver activity or DoS attempts.
🔍 How to Verify
Check if Vulnerable:
Check the firmware version on the device via its web interface or engineering software; compare against patched versions listed in the affected systems.Check Version:
Use device-specific commands or web interface; for example, access the device's web management page and navigate to system information to view firmware version.Verify Fix Applied:
After updating, confirm the firmware version matches or exceeds the patched version specified by Siemens.📡 Detection & Monitoring
Log Indicators:
- Unusual memory usage spikes in device logs
- Webserver crash or restart events
- Repeated failed connection attempts to webserver
Network Indicators:
- Abnormal HTTP traffic patterns to device webserver ports
- Increased network latency or timeouts to affected devices
SIEM Query:
Example: search for events from source IPs targeting port 80/443 on industrial devices with high request rates or memory-related errors.🔗 References
- https://cert-portal.siemens.com/productcert/html/ssa-139628.html
- https://cert-portal.siemens.com/productcert/html/ssa-625862.html
- https://cert-portal.siemens.com/productcert/html/ssa-693975.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-693975.pdf
- https://cert-portal.siemens.com/productcert/html/ssa-139628.html
- https://cert-portal.siemens.com/productcert/html/ssa-625862.html
- https://cert-portal.siemens.com/productcert/html/ssa-693975.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-693975.pdf
