Web application penetration testing specialists report the finding of multiple exploitable vulnerabilities in some industrial control products developed by Siemens. According to reports, successful exploitation of these flaws would allow the deployment of denial-of-service (DoS) attacks.
Below are brief descriptions of the reported flaws, in addition to their respective identification keys and scores according to the Common Vulnerability Scoring System (CVSS).
CVE-2019-8460: The kernel may be forced to make highly expensive calls for each incoming SELECTIVE TCP Recognition (SACK) packet, which can lead to a DoS condition. The flaw received a score of 7.5/10.
CVE-2019-11477: The kernel is affected by an integer overflow when handling selective TCP acknowledgments, which could lead to a DoS condition. The vulnerability received a score of 7.5/10.
CVE-2019-11478: A remote threat actor could send specially designed SELECTIVE TCP Recognition (SACK) streams can cause a DoS condition. This flaw received a score of 5.3/10, web application penetration testing experts mention.
CVE-2019-11479: Malicious hackers can exploit a severe vulnerability in the TCP relay queue deployment kernel to generate a denial of service (DoS) condition. The flaw received a score of 5.3/10.
Below is a list of all the products listed below:
- CloudConnect 712: All versions prior to 1.1.5
- ROX II: All versions prior to 2.13.3 (Only vulnerable to CVE-2019-11479)
- RUGGEDCOM APE 1404 Linux: All versions prior to Debian 9 Linux Image 2019-12-13 (only affected by CVE-2019-11479)
- RUGGEDCOM RM1224: All versions prior to 6.2
- RUGGEDCOM RX 1400 VPE Debian Linux: All versions prior to Debian 9 Linux Image 2019-12-13 (only affected by CVE-2019-11479)
- RUGGEDCOM RX 1400 VPE Linux CloudConnect: All versions prior to Debian 9 Linux Image 2019-12-13 13 (only affected by CVE-2019-11479)
- SCALANCE M800 / S615: All versions prior to 6.2
- SCALANCE M875: All versions
- SCALANCE SC-600: All versions prior to 2.0.1
- SCALANCE W1700: All versions prior to 2.0
- SCALANCE W-700 (IEEE 802.11n): All versions prior to 6.4
- SCALANCE WLC711: All versions
- SCALANCE WLC712: All versions
- SIMATIC CM 1542-1: All versions
- SIMATIC ITC1500: All versions
- SIMATIC ITC1500 PRO: All versions
- SIMATIC ITC1900: All versions
- SIMATIC ITC1900 PRO: All versions
- SIMATIC ITC2200: All versions
- SIMATIC ITC2200 PRO: All versions
- SIMATIC MV500: All versions
- SIMATIC NET CP 1242-7: All versions prior to 3.2
- SIMATIC NET CP 1243-1 (incl. SIPLUS NET variants): All versions prior to 3.2
- SIMATIC NET CP 1243-7 LTE EU: All versions prior to 3.2
- SIMATIC NET CP 1243-7 LTE US: All versions prior to 3.2
- SIMATIC NET CP 1243-8 IRC: All versions prior to 3.2
- SIMATIC NET CP 1542SP-1: All versions prior to 2.1
- SIMATIC NET CP 1542SP-1 IRC (incl. SIPLUS NET variants): All versions prior to 2.1
- SIMATIC NET CP 1543-1 (incl. SIPLUS NET variants): All versions prior to 2.2
- SIMATIC NET CP 1543SP-1 (incl. SIPLUS NET variants): All versions prior to 2.1
- SIMATIC NET CP 1623: All versions: All versions (only affected by CVE-2019-8460)
- SIMATIC NET CP 1628: All versions: All versions (only affected by CVE-2019-8460)
- SIMATIC NET CP 343-1 Advanced (incl. SIPLUS NET variants): All versions (only affected by CVE-2019-8460)
- SIMATIC NET CP 442-1 RNA: All versions (only affected by CVE-2019-8460)
- SIMATIC NET CP 443-1 (incl. SIPLUS NET variants): All versions (only affected by CVE-2019-8460)
- SIMATIC NET CP 443-1 Advanced (incl. SIPLUS NET variants): All versions (only affected by CVE-2019-8460)
- SIMATIC NET CP 443-1 OPC UA: All versions (only affected by CVE-2019-8460)
- SIMATIC NET CP 443-1 RNA: All versions (only affected by CVE-2019-8460)
- SIMATIC RF185C: All versions prior to 1.3
- SIMATIC RF186C: All versions prior to 1.3
- SIMATIC RF186CI: All versions prior to 1.3
- SIMATIC RF188C: All versions prior to 1.3
- SIMATIC RF188CI: All versions prior to 1.3
- SIMATIC RF600R: All versions
- SIMATIC S7-1500 CPU 1518-4 PN/DP MFP (incl. SIPLUS variant): All versions
- SIMATIC Teleserver Adapter IE Advanced: All versions
- SIMATIC Teleserver Adapter IE Basic: All versions
- SINEMA Remote Connect Server: All versions prior to 2.1
- SINUMERIK 808D: All versions prior to 4.92
- SINUMERIK 828D: All versions prior to 4.8 SP5
- SINUMERIK 840D sl: All versions prior to 4.8 SP5
- TIM 1531 IRC (incl. SIPLUS NET variants): All versions prior to 2.1
The risk of exploitation is real, so web application penetration testing specialists recommend users of vulnerable deployments to protect access with appropriate measures. In addition, Siemens recommends that users set the recommended measures in user manuals.