Full Report
A vulnerability in the underlying third party component OPC UA ANSIC Stack (also called Legacy C-Stack) affects several industrial products. The vulnerability could cause a crash of the component that includes the vulnerable part of the stack. Siemens has released updates for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Denial of Service in OPC-UA Legacy C-Stack (Siemens Industrial Products)
## CVE Details
- **CVE ID:** CVE-2021-45117
- **CVSS Score:** 6.5 (Medium)
- **CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
- **CWE:** CWE-476: NULL Pointer Dereference
## Affected Systems
- **SIMATIC HMI Comfort Panels (including Outdoor & SIPLUS variants):** All versions < V17 Update 5
- **SIMATIC HMI KTP Mobile Panels (KTP400F, KTP700/F, KTP900/F):** All versions < V17 Update 5
- **SIMATIC NET PC Software V14:** All versions < V14 SP1 Update 14
- **SIMATIC NET PC Software V15:** All versions (Note: No fix planned)
- **SIMATIC NET PC Software V16:** All versions < V16 Update 6
- **SIMATIC NET PC Software V17:** All versions < V17 SP1
- **SITOP Manager:** All versions < V1.2.4
- **TeleControl Server Basic V3:** All versions < V3.1.1
## Vulnerability Description
The vulnerability exists in the third-party **OPC UA ANSI C Stack (Legacy C-Stack)**. Specifically, the flaw is located in the generated code of the OPC Foundation C-Stack. When an unexpected OPC UA Response message status code is accessed via the synchronous Client API, the component performs a **NULL pointer dereference**.
While primarily affecting clients, it can also affect servers using functions such as `OpcUa_ClientApi_RegisterServer` (e.g., when registering at a Local Discovery Server).
## Exploitation
- **Status:** PoC available (indicated by CVSS "E:P" / Exploit Code Maturity: Proof-of-Concept).
- **Complexity:** Low.
- **Attack Vector:** Network.
- **Requirements:** User interaction is required (UI:R), such as a client connecting to a malicious server, or a Man-in-the-Middle (MitM) attacker intercepting a response.
## Impact
- **Confidentiality:** None.
- **Integrity:** None.
- **Availability:** High (The component/application will crash, resulting in a Denial of Service).
## Remediation
### Patches
Siemens recommends updating to the following versions:
- **SIMATIC HMI Panels:** Update TIA Portal to V17 Update 5 or newer; then update panel to V17 Update 5.
- **SIMATIC NET PC Software V14:** Update to V14 SP1 Update 14.
- **SIMATIC NET PC Software V16:** Update to V16 Update 6.
- **SIMATIC NET PC Software V17:** Update to V17 SP1.
- **SITOP Manager:** Update to V1.2.4.
- **TeleControl Server Basic V3:** Update to V3.1.1.
### Workarounds
- **Trusted Connections:** Do not use the OPC client feature to connect via untrusted networks or to untrusted OPC-UA communication partners.
- **Network Segmentation:** Use VPNs to protect network communication between cells.
- **General Defense:** Apply Defense-in-Depth strategies as per Siemens general security recommendations.
## Detection
- **Indicators of Compromise:** Unexpected crashes of the OPC UA component following communication with an external server or LDS.
- **Detection Methods:** Monitor network traffic for malformed or "uncertain" status codes in OPC UA response messages. Log audit trails for the OPC UA stack to identify NULL pointer dereference errors.
## References
- **Siemens Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/pdf/ssa-285795[.]pdf
- **Siemens Support Links:**
- hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/109746530/
- hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/109807351/
- hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/109811815/
- hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/109808270/
- hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/109760607/
- hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/109812231/