Full Report
Multiple industrial products are affected by a vulnerability in the kernel known as TCP SACK PANIC. The vulnerability could allow a remote attacker to cause a denial of service condition. Siemens has released updates for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for products where updates are not, or not yet available.
Analysis Summary
# Vulnerability: TCP SACK PANIC in Siemens Industrial Products
## CVE Details
- **CVE ID:** CVE-2019-11477 (Primary), CVE-2019-11478, CVE-2019-11479, CVE-2019-8460
- **CVSS Score:** 7.5 (High)
- **CWE:** CWE-400 (Uncontrolled Resource Consumption) / CWE-190 (Integer Overflow)
## Affected Systems
- **Products:**
- **RUGGEDCOM:** APE1404, RM1224, ROX II, RX1400 (VPE Debian/CloudConnect).
- **SCALANCE:** M804PB, M812, M816, M826, S602, S612, S615, S623, S627, W1750D.
- **SIMATIC:** CP 443-1 (Standard/Advanced/RNA), CP 442-1 RNA, CP 343-1 Advanced, CP 1623, CP 1628, CM 1542-1, ITC1500/1900/2200 (PRO), MV500, RF18xC/CI, RF600R, S7-1500 CPU 1518(F)-4 PN/DP MFP.
- **TIM:** 3V-IE (Standard/Advanced/DNP3), 4R-IE (Standard/DNP3).
- **Versions:** Multiple versions prior to 2023 updates. Specific targets include RUGGEDCOM ROX II < V2.13.3 and SCALANCE M-800 < V6.2.
- **Configurations:** Systems running affected Linux kernel versions (specifically handles TCP Selective Acknowledgment - SACK).
## Vulnerability Description
The "TCP SACK PANIC" is a residency flaw in the Linux kernel's handling of TCP Selective Acknowledgment (SACK). An integer overflow can be triggered when processing a specific sequence of SACK packets with a low Maximum Segment Size (MSS). This causes a kernel panic (system crash), leading to a Denial of Service (DoS) condition.
## Exploitation
- **Status:** PoC available; widely documented since 2019.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** Total (System crash/Denial of Service)
## Remediation
### Patches
Siemens has released several firmware updates. Key patches include:
- **RUGGEDCOM RM1224 / SCALANCE M-800:** Update to V6.2 or later.
- **RUGGEDCOM ROX II:** Update to V2.13.3 or later.
- **SIMATIC CP 443-1 / Advanced:** Apply updates released in V3.1 (2023).
- **SIMATIC ITC Series:** Apply latest firmware updates (V2.2 or later).
*Note: No fix is planned for SIMATIC NET CP 443-1 (Standard) and certain TIM 3V-IE/4R-IE modules; users should refer to workarounds.*
### Workarounds
- **Disable SACK processing:** Configure the system to ignore SACK (e.g., `sysctl -w net.ipv4.tcp_sack=0`).
- **Filter Traffic:** Use firewalls to block/drop packets with low MSS values that could trigger the overflow.
- **Network Isolation:** Ensure industrial devices are not exposed to untrusted networks or the direct internet.
## Detection
- **Indicators of Compromise:** Sudden, unexplained kernel panics or reboots of industrial controllers and communication modules after receiving specific TCP traffic.
- **Detection methods and tools:** Monitoring network traffic for exceptionally small TCP MSS options (e.g., < 500 bytes) coupled with high SACK intensive traffic. Use IDS/IPS signatures targeting CVE-2019-11477.
## References
- Siemens Advisory SSA-462066: hxxps://cert-portal.siemens[.]com/productcert/pdf/ssa-462066[.]pdf
- Siemens Debian Support: hxxps://support.industry.siemens[.]com/cs/ww/en/view/109773487
- General Terms: hxxps://www.siemens[.]com/terms_of_use