Siemens Industrial Products with OPC UA Uncaught Exception (CVE-2019-6575)

high Tenable OT Security Plugin ID 500070

Synopsis

The remote OT asset is affected by a vulnerability.

Description

A vulnerability has been identified in SIMATIC CP 443-1 OPC UA (All versions), SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl.
SIPLUS variants) (All versions < V2.7), SIMATIC HMI Comfort Outdoor Panels 7 & 15 (incl. SIPLUS variants) (All versions < V15.1 Upd 4), SIMATIC HMI Comfort Panels 4 - 22 (incl. SIPLUS variants) (All versions < V15.1 Upd 4), SIMATIC HMI KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900 and KTP900F (All versions < V15.1 Upd 4), SIMATIC IPC DiagMonitor (All versions < V5.1.3), SIMATIC NET PC Software V13 (All versions), SIMATIC NET PC Software V14 (All versions < V14 SP1 Update 14), SIMATIC NET PC Software V15 (All versions), SIMATIC RF188C (All versions < V1.1.0), SIMATIC RF600R family (All versions < V3.2.1), SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants) (All versions >= V2.5 < V2.6.1), SIMATIC S7-1500 Software Controller (All versions between V2.5 (including) and V2.7 (excluding)), SIMATIC WinCC OA (All versions < V3.15 P018), SIMATIC WinCC Runtime Advanced (All versions < V15.1 Upd 4), SINEC NMS (All versions < V1.0 SP1), SINEMA Server (All versions < V14 SP2), SINUMERIK OPC UA Server (All versions < V2.1), TeleControl Server Basic (All versions < V3.1.1). Specially crafted network packets sent to affected devices on port 4840/tcp could allow an unauthenticated remote attacker to cause a denial of service condition of the OPC communication or crash the device. The security vulnerability could be exploited by an attacker with network access to the affected systems.
Successful exploitation requires no system privileges and no user interaction. An attacker could use the vulnerability to compromise availability of the OPC communication.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at CISA.gov.

Siemens currently has updates for the following products:

SIMATIC ET 200 Open Controller CPU 1515SP PC2: Update to v2.7

- SIMATIC HMI Comfort Outdoor Panels 7" & 15" (including SIPLUS variants): Update to v15.1 Upd 4
- SIMATIC HMI Comfort Panels 4" 22" (including SIPLUS variants): Update to v15.1 Upd 4
- SIMATIC HMI KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900, KTP900F (including SIPLUS variants): Update to v15.1 Upd 4
- SIMATIC IPC DiagMonitor: Update to v5.1.3
- SIMATIC NET PC Software v14: Update to v14 SP1 Update 14 or later version
- SIMATIC RF188C: Update to v1.1.0
- SIMATIC RF600R: Update to v3.2.1
- SIMATIC S7-1500 CPU Family (including related ET200 CPUs and SIPLUS variants): Update to v2.6.1
- SIMATIC S7-1500 Software Controller: Update to v2.7
- SIMATIC WinCC OA: Update to v3.15-P018 (logon required)
- SIMATIC WinCC Runtime Advanced: Update to v15.1 Upd 4
- SINEC-NMS: Update to v1.0 SP1
- SINEMA Server: Update to v14 SP2
- SINUMERIK OPC UA Server: Update to v2.1 or newer

- TeleControl Server Basic: Update to V3.1.1 or later version

For the balance of the listed products, Siemens is preparing further updates and recommends users apply the following specific workarounds and mitigations to reduce risk until patches are available:

- Deactivate the OPC UA Service if supported by the product.
- Apply cell protection concept.
- Use VPN for protecting network communication between cells.
- Apply Defense-in-Depth.

Siemens recommends users configure their environment according to Siemens’ operational guidelines for Industrial Security (Download) and follow the recommendations in the product manuals.

Additional information on industrial security by Siemens can be found at: https://www.siemens.com/industrialsecurity

For more information on the vulnerability and more detailed mitigation instructions, please see Siemens Security Advisory SSA-307392

See Also

https://cert-portal.siemens.com/productcert/pdf/ssa-307392.pdf

https://www.cisa.gov/news-events/ics-advisories/icsa-19-099-03

Plugin Details

Severity: High

ID: 500070

Version: 1.10

Type: remote

Family: Tenable.ot

Published: 2/7/2022

Updated: 9/4/2024

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2019-6575

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:siemens:simatic_s7-1500t_firmware, cpe:/o:siemens:simatic_s7-1500f_firmware, cpe:/o:siemens:simatic_s7-1500s_firmware, cpe:/o:siemens:simatic_s7-1500_firmware, cpe:/o:siemens:simatic_et_200_open_controller_cpu_1515sp_pc2_firmware, cpe:/o:siemens:simatic_cp443-1_opc_ua_firmware

Required KB Items: Tenable.ot/Siemens

Exploit Ease: No known exploits are available

Patch Publication Date: 4/17/2019

Vulnerability Publication Date: 4/17/2019

Reference Information

CVE: CVE-2019-6575

CWE: 248

ICSA: 19-099-03