Full Report
A vulnerability made public under the name SAD DNS affects Domain Name System resolvers due to a vulnerability in the Linux kernel when handling ICMP packets. The Siemens products which are affected are listed below. For more information please see https://www.saddns.net/. Siemens has released updates for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: SAD DNS (Side-channel Attacked DNS) in Siemens Linux-Based Products
## CVE Details
- **CVE ID:** CVE-2020-25705
- **CVSS Score:** 7.4 (High)
- **Vector:** CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C
- **CWE:** CWE-330: Use of Insufficiently Random Values
## Affected Systems
- **Products:**
- RUGGEDCOM RM1224
- SCALANCE M-800, MUM-800, S615, and SC-600 Series
- SCALANCE W1750D
- SIMATIC Cloud Connect 7 (CC712, CC716)
- SIMATIC CP 1242-7 GPRS V2, CP 1243-1, CP 1243-7 LTE, CP 1243-8 IRC
- SIMATIC CP 1542SP-1, CP 1542SP-1 IRC, CP 1543-1, CP 1543SP-1, CP 1545-1
- SIMATIC MV500 family (MV540, MV550, MV560)
- SIPLUS TIM 1531 IRC & TIM 1531 IRC
- **Versions:** Various versions (predominantly those running Linux kernel versions < 5.10).
- **Configurations:** Systems acting as DNS resolvers or relying on UDP source port randomization.
## Vulnerability Description
The "SAD DNS" vulnerability resides in the Linux kernel's handling of ICMP error messages. The kernel's rate-limiting mechanism for ICMP "Destination Unreachable" responses introduces a side channel. By sending spoofed UDP packets and observing the ICMP rate limit behavior, an off-path remote attacker can systematically scan and identify open UDP ports. This allows the attacker to bypass UDP source port randomization, facilitating DNS cache poisoning attacks.
## Exploitation
- **Status:** PoC available; research made public under "SAD DNS."
- **Complexity:** High (requires precise timing and spoofing).
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** High (Potential redirection of traffic to malicious servers).
- **Integrity:** High (Ability to poison DNS cache and provide false records).
- **Availability:** None reported.
## Remediation
### Patches
Siemens recommends updating to the following versions or later:
- **SCALANCE SC-600:** V2.2
- **SCALANCE W1750D:** V8.7.1.3
- **SIMATIC CP 1543-1:** V3.0.22
- **SIMATIC CP 1545-1:** V1.1
- **SIMATIC CC712/CC716:** V1.6.1
- **SIMATIC MV500 Family:** V3.1.2
- **TIM 1531 IRC / SIPLUS TIM 1531 IRC:** V2.2 Update 1
- **SIMATIC CP 1243-1 / CP 1243-8 IRC:** V3.3.46
- **SIMATIC CP 1542SP-1 / CP 1543SP-1:** V2.2
### Workarounds
- Use internal name servers located within secure corporate environments.
- Restrict access to CLI and web-based management interfaces to dedicated Layer 2 segments/VLANs.
- Disable outgoing ICMP packets using "service ACLs" to prevent the side-channel leak.
- Enforce strict firewall policies at Layer 3.
## Detection
- **Indicators of Compromise:** Unusual spikes in ICMP "Destination Unreachable" (Type 3) traffic directed toward the device.
- **Detection Methods:** Monitor network traffic for high volumes of spoofed UDP packets combined with ICMP rate-limit probes. Use IDS/IPS signatures targeting SAD DNS patterns.
## References
- **Siemens Advisory:** hxxps://cert-portal.siemens[.]com/productcert/pdf/ssa-324955.pdf
- **SAD DNS Research:** hxxps://www.saddns[.]net/
- **Siemens Industrial Security:** hxxps://www.siemens[.]com/industrialsecurity