Full Report
A vulnerability in the affected devices could allow an unauthorized attacker with network access to the webserver of an affected device to perform a denial of service attack. Siemens has released updates for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for products where updates are not, or not yet available.
Analysis Summary
# Vulnerability: Denial of Service in Siemens Industrial Webservers
## CVE Details
- **CVE ID:** CVE-2019-6568
- **CVSS Score:** 7.5 (High)
- **CWE:** CWE-400 (Uncontrolled Resource Consumption)
## Affected Systems
- **Products:** SIMATIC CP 343/443 families, SIMATIC ET 200pro/200S CPUs, SIMATIC CP 1604/1616, SIMATIC S7-300/S7-400 CPU families, SINAMICS drives, SIMOCODE pro, and SITOP power supplies.
- **Versions:** Multiple versions across the industrial catalog. Key vulnerable ranges include:
- SIMATIC CP 443-1: All versions < V3.3
- SIMATIC ET 200pro/200S: All versions < V3.2.16
- SIMATIC CP 1604/1616: All versions
- SIMATIC S7-400: All versions (Fixes not planned for specific older V6/V7 families)
- **Configurations:** Webserver functionality must be enabled on the device.
## Vulnerability Description
A vulnerability in the integrated webserver of affected Siemens industrial products could allow an attacker to trigger a Denial of Service (DoS) condition. The flaw stems from improper handling of incoming network traffic to the web management interface. By sending specifically crafted HTTP requests, an unauthorized attacker can cause the webserver—and potentially the device's communication capabilities—to become unresponsive or crash.
## Exploitation
- **Status:** Not explicitly reported as exploited in the wild in this advisory; however, the vulnerability is well-documented.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** High (Device/Service becomes unavailable)
## Remediation
### Patches
Siemens has released several firmware updates. Primary examples include:
- **SIMATIC CP 443-1:** Update to V3.3 or later.
- **SIMATIC ET 200pro/200S CPUs:** Update to V3.2.16 or later.
- **SINAMICS S210:** See specific drive firmware update links.
- **SIMOCODE pro V PROFINET/Ethernet/IP:** Update to recommended latest versions.
### Workarounds
For devices where no fix is planned (e.g., CP 343-1 Advanced, CP 1604, older S7-400 CPUs):
- **Disable the Webserver:** If the web interface is not required for operation, disable it in the device configuration.
- **Network Isolation:** Ensure affected devices are not accessible from the Internet.
- **Firewalling:** Restrict access to the webserver (typically ports 80/443) using a management firewall or VLANs to trusted administrative workstations only.
- **Defense in Depth:** Utilize the Siemens Industrial Security Cell Protection concept.
## Detection
- **Indicators of Compromise:** Sudden loss of access to the web management interface; device heartbeat timeouts; exhaustion of TCP connections.
- **Detection methods:** Monitor network traffic for anomalous HTTP request patterns directed at industrial controllers.
## References
- **Vendor Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/pdf/ssa-480230[.]pdf
- **Siemens Terms of Use:** hxxps://www[.]siemens[.]com/terms_of_use
- **Resource Link:** hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/109817938/