Full Report
Exploitation of vulnerabilities in Siemens SINUMERIK controllers cold allow remote code execution, privilege escalation and device denial-of-service conditions
Analysis Summary
Based on the Siemens Security Advisory (SSA-330423) regarding the vulnerabilities in SINUMERIK controllers referenced in the Kaspersky ICS CERT report, here is the summarized technical breakdown.
# Vulnerability: Multiple Flaws in Siemens SINUMERIK Controllers
## CVE Details
* **CVE ID:** CVE-2018-13808 (Main RCE), CVE-2018-13810, CVE-2018-13811, CVE-2018-13812, CVE-2018-13813
* **CVSS Score:** 9.8 (Critical) - *Score for CVE-2018-13808*
* **CWE:** CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-20 (Improper Input Validation)
## Affected Systems
* **Products:** SINUMERIK 808D, 828D, and 840D sl
* **Versions:**
* SINUMERIK 808D: All versions < V4.8 SP4
* SINUMERIK 828D: All versions < V4.8 SP3
* SINUMERIK 840D sl: All versions < V4.8 SP3
* **Configurations:** Systems with the integrated Profinet interface or HMIs connected to Ethernet-based factory networks.
## Vulnerability Description
The primary vulnerability (CVE-2018-13808) exists in the way SINUMERIK controllers handle specifically crafted packets sent to the integrated HMI service. A buffer overflow condition allows an attacker to overwrite memory, potentially leading to arbitrary code execution. Additional vulnerabilities in the suite include flaws in the management of project data and resource management, which can lead to Privilege Escalation and permanent Denial-of-Service (DoS) where the hardware requires a manual reset or re-imaging to recover.
## Exploitation
* **Status:** Not widely exploited in the wild at time of reporting; PoC developed by researchers.
* **Complexity:** Low
* **Attack Vector:** Network (Remote)
## Impact
* **Confidentiality:** High (Full access to machine configurations and logic)
* **Integrity:** High (Unauthorized modification of CNC programs and parameters)
* **Availability:** High (Device crash, production stoppage, or bricking)
## Remediation
### Patches
Siemens released the following firmware updates to address these issues:
* **SINUMERIK 808D:** Update to V4.8 SP4 or later.
* **SINUMERIK 828D:** Update to V4.8 SP3 or later.
* **SINUMERIK 840D sl:** Update to V4.8 SP3 or later.
### Workarounds
* **Network Segmentation:** Isolate the CNC controllers from the general enterprise network (IT) using firewalls.
* **Access Control:** Restrict access to Port 102 (ISO-TSAP) and other proprietary HMI ports to known engineering workstations only.
* **Disable Services:** Disable any unnecessary network services on the HMI and NCU through the system settings.
## Detection
* **Indicators of Compromise:** Unexpected system reboots, loss of communication with the PLC/NC interface, and presence of anomalous traffic on port 102 or port 5900 (VNC).
* **Detection Methods:** Use ICS-aware Deep Packet Inspection (DPI) to monitor for malformed S7-protocol packets or over-sized payloads directed at the controller's IP.
## References
* Siemens Security Advisory SSA-330423: hxxps[://]cert-portal[.]siemens[.]com/productcert/pdf/ssa-330423[.]pdf
* Kaspersky ICS CERT: hxxps[://]ics-cert[.]kaspersky[.]com/publications/reports/2018/12/14/critical-vulnerabilities-in-siemens-sinumerik-controllers/