Full Report
SIMATIC MV500 devices before V3.3.4 are affected by multiple vulnerabilities in the web server and several third-party components. Siemens has released updates for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in SIMATIC MV500 Devices
## CVE Details
- **CVE ID:** CVE-2022-37424 (zlib), CVE-2022-37434 (zlib), CVE-2022-48285 (JSZip), CVE-2023-0215 (OpenSSL), CVE-2023-0286 (OpenSSL), CVE-2023-35920 (Siemens), CVE-2023-35921 (Siemens), CVE-2023-36521 (Siemens).
- **CVSS Score:** Up to 9.8 (Critical)
- **CWE:** CWE-20, CWE-787, CWE-22, CWE-416, CWE-400, CWE-770
## Affected Systems
- **Products:**
- SIMATIC MV540 H
- SIMATIC MV540 S
- SIMATIC MV550 H
- SIMATIC MV550 S
- SIMATIC MV560 U
- SIMATIC MV560 X
- **Versions:** All versions prior to V3.3.4
- **Configurations:**
- Specific vulnerabilities (CVE-2023-36521) depend on the **Result Synchronization Server** being enabled.
- OpenSSL flaws require specific API calls or CRL checking configurations.
## Vulnerability Description
Affected SIMATIC MV500 devices contain multiple security flaws stemming from third-party components (OpenSSL, zlib, JSZip) and proprietary code:
- **Remote Code Execution (RCE) / Memory Corruption:** Heap-based buffer overflows in `zlib` (CWE-787) and type confusion in `OpenSSL` (CWE-20) could allow high-impact exploitation.
- **Denial of Service (DoS):** Improper handling of crafted IP packets, Ethernet frames, and socket-based communications can cause devices to crash or stop responding, requiring a manual restart.
- **Path Traversal:** The `JSZip` component allows for directory traversal via crafted ZIP archives (CWE-22).
- **Resource Exhaustion:** Improper synchronization in the result server can lead to a lockout of all socket-based communication.
## Exploitation
- **Status:** PoC available (Several CVEs listed indicate functional/proven exploitation paths in the wild or via public research).
- **Complexity:** Low to High (Varies by CVE; DoS attacks are generally Low complexity).
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Memory reads possible via OpenSSL and zlib flaws).
- **Integrity:** High (System-level changes possible via buffer overflows).
- **Availability:** High (Persistent DoS requiring manual intervention).
## Remediation
### Patches
- Siemens recommends updating all SIMATIC MV500 devices to **Version V3.3.4** or later.
### Workarounds
- Disable the **Result Synchronization Server** if not required to mitigate CVE-2023-36521.
- Restrict network access to the devices to trusted administrative users and segments only.
## Detection
- **Indicators of Compromise:**
- Unexpected device reboots or hangs requiring manual power cycles.
- Failures in socket-based communications or result synchronization.
- **Detection Methods:** Monitor network traffic for malformed Ethernet frames and non-standard IP packets targeting industrial gateways. Scan for vulnerable versions using ICS-aware asset management tools.
## References
- Siemens Security Advisory: [https]://cert-portal.siemens.com/productcert/pdf/ssa-561322.pdf
- Siemens ProductCERT: [https]://www.siemens.com/cert/advisories
- Global Terms: [https]://www.siemens.com/terms_of_use