Full Report
SIMATIC RTLS Gateways are affected by vulnerabilities that were disclosed by JSOF research lab “Ripple20” for the TCP/IP stack. Siemens recommends countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Ripple20 (Treck TCP/IP Stack) in SIMATIC RTLS Gateways
## CVE Details
- **CVE ID:** CVE-2020-11896
- **CVSS Score:** 7.5 (High) / 7.7 (CVSS v4.0)
- **CWE:** CWE-130: Improper Handling of Length Parameter Inconsistency
## Affected Systems
- **Products:** SIMATIC RTLS (Real-Time Locating System) Gateways
- **Versions:** All versions of the following models are affected:
- RTLS4030G, CMIIT (6GT2701-5DB23)
- RTLS4030G, ETSI (6GT2701-5DB03)
- RTLS4030G, FCC (6GT2701-5DB13)
- RTLS4030G, ISED (6GT2701-5DB33)
- RTLS4430G, Chirp, ETSI, FCC, ISED, IP65 (6GT2701-5CB03)
- **Configurations:** Devices utilizing the Treck TCP/IP stack for network communications.
## Vulnerability Description
The vulnerability originates from the "Ripple20" research regarding the Treck TCP/IP stack. Specifically, the stack improperly handles inconsistencies in length parameters within IP packets. An unauthenticated remote attacker can exploit this by sending specially crafted IP packets to an affected device.
## Exploitation
- **Status:** PoC available (Note: CVSS vector indicates functional exploitability exists).
- **Complexity:** High
- **Attack Vector:** Adjacent (The attacker must be on the same local network or subnet as the RTLS Gateway).
## Impact
- **Confidentiality:** High
- **Integrity:** High
- **Availability:** High
- **Result:** Successful exploitation could lead to a Denial of Service (DoS) condition or Remote Code Execution (RCE).
## Remediation
### Patches
- **No Fix Planned:** Siemens has stated that no firmware updates are currently planned to address these vulnerabilities in the listed RTLS Gateway models.
### Workarounds
- **Network Segmentation:** Protect network access to devices using appropriate physical or logical mechanisms.
- **Operational Guidelines:** Configure the environment according to Siemens' operational guidelines for Industrial Security.
- **Manual Compliance:** Strictly follow security recommendations provided in the specific product manuals.
## Detection
- **Indicators of Compromise:** Unusual device reboots, network latency, or unexpected malformed IP traffic originating from or directed toward the gateways.
- **Detection methods and tools:** Use Industrial Intrusion Detection Systems (IDS) or Deep Packet Inspection (DPI) tools capable of identifying malformed Treck TCP/IP packets (Ripple20 signatures).
## References
- Siemens Advisory SSA-647068: hxxps[://]cert-portal[.]siemens[.]com/productcert/pdf/ssa-647068[.]pdf
- JSOF Ripple20 Research: hxxps[://]www[.]jsof-tech[.]com/ripple20/
- Siemens Industrial Security Guidelines: hxxps[://]www[.]siemens[.]com/cert/operational-guidelines-industrial-security