Full Report
The products listed below contain a vulnerability that could allow remote attackers to affect the availability of the devices under certain conditions. The underlying TCP stack can be forced to make very computation expensive calls for every incoming packet which can lead to a Denial-of-Service. Siemens has released updates for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for products where updates are not, or not yet available.
Analysis Summary
# Vulnerability: SegmentSmack in VxWorks-based Industrial Devices
## CVE Details
- **CVE ID:** CVE-2019-19301
- **CVSS Score:** 7.5 (High)
- **CWE:** CWE-400: Uncontrolled Resource Consumption
## Affected Systems
- **Products:** Various Siemens SCALANCE and SIMATIC networking/communication modules.
- **Versions:**
- SCALANCE X200-4P IRT, X201-3P IRT (PRO), X202-2P IRT (PRO): Versions < V5.5.0
- SCALANCE X204-2 (FM, LD, TS): Versions < V5.2.5
- SIMATIC CP 442-1 RNA, CP 443-1 RNA: Versions < V1.5.18
- SIMATIC CP 443-1 (Standard & Advanced): Affected (Check specific update links)
- SIMATIC CP 343-1 Advanced: Affected
- **Configurations:** Devices utilizing the VxWorks-based Profinet TCP stack.
## Vulnerability Description
This vulnerability, colloquially known as **SegmentSmack**, resides in the TCP stack of the VxWorks operating system used by several Siemens industrial products. A remote attacker can send specially crafted TCP packets that force the stack to perform extremely computationally expensive calls for every incoming packet. This occurs during the processing of TCP segments, leading to CPU exhaustion.
## Exploitation
- **Status:** Proof of Concept (PoC) available.
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** High (Denial-of-Service condition through resource exhaustion).
## Remediation
### Patches
Siemens has released several firmware updates to address this flaw:
- **SCALANCE X-200IRT family:** Update to V5.5.0 or later.
- **SCALANCE X-200 family:** Update to V5.2.5 or later.
- **SCALANCE X-300 family (incl. X408):** Update to latest available firmware.
- **SIMATIC CP 442-1 / 443-1 RNA:** Update to V1.5.18 or later.
- **SIMATIC CP 443-1 (Standard & Advanced):** Update to V3.3.7 or later.
### Workarounds
For products where updates are not yet available or cannot be applied:
- Restrict network access to affected devices to trusted users/networks only.
- Use firewalls or VPCs to isolate industrial networks from the internet.
- Disable unnecessary TCP services on the devices.
## Detection
- **Indicators of Compromise:** Unusual spikes in CPU utilization on networking hardware; loss of device responsiveness; intermittent network timeouts without physical layer issues.
- **Detection methods and tools:** Network Intrusion Detection Systems (IDS) can be configured to alert on anomalous TCP segment sequences. Monitor SNMP traps for high CPU load alerts.
## References
- Siemens Security Advisory SSA-102233: hxxps://cert-portal[.]siemens[.]com/productcert/pdf/ssa-102233[.]pdf
- Siemens ProductCERT: hxxps://www[.]siemens[.]com/cert/advisories
- MITRE CWE-400: hxxps://cwe[.]mitre[.]org/data/definitions/400[.]html