Full Report
Vulnerabilities in the third-party component strongSwan could allow an attacker to cause a denial of service (DoS) condition in affected devices by exploiting integer overflow bugs. Siemens has released updates for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Denial of Service in Siemens Products via strongSwan Integer Overflows
## CVE Details
- **CVE ID:** CVE-2021-41990, CVE-2021-41991
- **CVSS Score:** 7.5 (High)
- **CWE:** CWE-190 (Integer Overflow or Wraparound)
## Affected Systems
- **Products:**
- RUGGEDCOM RM1224 LTE (EU/NAM)
- SCALANCE M800 series (M804, M812, M816, M826, M874, M876)
- SCALANCE MUM853-1, MUM856-1
- SCALANCE S615
- SIMATIC CP 1242-7 V2, CP 1243-1, CP 1243-7, CP 1243-8
- SIMATIC CP 1542SP-1, CP 1543SP-1, CP 1543-1, CP 1545-1
- SINEMA Remote Connect Server
- **Versions:** Multiple versions prior to the released patches (predominantly versions < V7.1 for SCALANCE/RUGGEDCOM).
- **Configurations:** Devices utilizing the strongSwan third-party component for IPsec VPN functionality.
## Vulnerability Description
The affected devices utilize **strongSwan**, which contains two integer overflow flaws:
1. **CVE-2021-41990:** An overflow occurs during the comparison of RSASSA-PSS signatures. It can be triggered by an initiator sending an unrelated self-signed CA certificate, leading to a crash.
2. **CVE-2021-41991:** An overflow exists in the in-memory certificate cache. When the cache is full, the random selection process for replacing entries is flawed. An attacker can flood the device with different certificate requests to trigger the overflow.
Both flaws primarily result in a **Denial of Service (DoS)** by crashing the daemon. While Remote Code Execution (RCE) is theoretically possible for CVE-2021-41991, it is considered highly unlikely by the vendor.
## Exploitation
- **Status:** PoC Available (CVSS Exploit Code Maturity: Functional/Proven). No confirmed exploitation in the wild mentioned.
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** High (System/Service crash)
## Remediation
### Patches
Siemens recommends updating the following product families to the specified versions or later:
- **SCALANCE M-800 / MUM-800 / RUGGEDCOM RM1224:** Update to V7.1
- **SCALANCE S615:** Update to V7.1
- **SIMATIC CP 1543-1:** Update to V3.0.22
- **SIMATIC CP 1545-1:** Update to V1.1
- **SIMATIC CP 1242-7 V2, 1243-1, 1243-7, 1243-8:** Update to V3.3.46
- **SINEMA Remote Connect Server:** Update to V3.1
- **SIMATIC CP 1542SP-1 / CP 1543SP-1:** Update to V2.2
### Workarounds
The advisory does not provide specific technical workarounds other than the general recommendation to apply the available firmware updates.
## Detection
- **Indicators of Compromise:** Unexpected crashing of the IPsec daemon/strongSwan service or sudden device reboots during VPN negotiation.
- **Detection methods:** Monitor network traffic for an unusually high volume of IKE (Internet Key Exchange) requests involving various self-signed certificates or signature authentication attempts.
## References
- **Vendor Advisory:** hxxps://cert-portal.siemens[.]com/productcert/pdf/ssa-539476.pdf
- **Siemens ProductCERT:** hxxps://www.siemens[.]com/cert/advisories
- **Technical Support:** hxxps://support.industry.siemens[.]com/cs/ww/en/view/109807276/