Full Report
A vulnerability in the affected products could allow an unauthorized attacker with network access to the webserver of an affected device to perform a denial-of-service attack. Siemens has released a new version for SINAMICS S210 (6SL5…) and recommends to update to the latest version. Siemens recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Denial-of-Service in Siemens Industrial Web Servers
## CVE Details
- **CVE ID:** CVE-2023-38380
- **CVSS Score:** 7.5 (High) - CVSS v3.1 / 8.7 (High) - CVSS v4.0
- **CWE:** CWE-401: Missing Release of Memory after Effective Lifetime
## Affected Systems
- **Products:**
- SIMATIC CP 1242-7 V2 (including SIPLUS variants)
- SIPLUS NET CP 1543-1 (6AG1543-1AX00-2XE0)
- SINAMICS S210 (6SL5…)
- **Versions:**
- SIMATIC CP 1242-7 V2: All versions ≥ V6.1 and < V6.1 HF2
- SIPLUS NET CP 1543-1: All versions < V3.0.37
- SINAMICS S210: Specific versions identified in the summary as requiring updates to the latest version.
- **Configurations:** Devices with the integrated web server enabled and reachable via the network.
## Vulnerability Description
The web server implementation within the affected Siemens products contains a memory management flaw. It fails to correctly release allocated memory after its effective lifetime (memory leak). A remote, unauthenticated attacker can exploit this by sending specific network traffic to the web server, eventually exhausting available memory resources and causing a Denial-of-Service (DoS) condition.
## Exploitation
- **Status:** PoC available (indicated by CVSS "Exploit Code Maturity: Functional" - E:P)
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** High (The web server service becomes unresponsive or crashes)
## Remediation
### Patches
Siemens recommends upgrading to the following versions:
- **SIMATIC CP 1242-7 V2:** Update to V6.1 HF2 or later.
- **SIPLUS NET CP 1543-1:** Update to V3.0.37 or later.
- **SINAMICS S210:** Update to the latest released version.
### Workarounds
- **Restrict Access:** Limit network access to the integrated web server to trusted IP addresses only.
- **Disable Service:** If the web interface is not required for operations, disable the web server functionality.
- **Network Segmentation:** Implement industrial security guidelines by isolating affected devices within protected network segments.
## Detection
- **Indicators of Compromise:** Unusual increase in memory consumption on the CP module; web interface becoming sluggish or completely unresponsive; unexpected device reboots.
- **Detection methods and tools:** Monitor network traffic for repeated, anomalous requests to the device web server. Use SNMP or Siemens-specific management tools to monitor system memory health.
## References
- **Vendor Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/html/ssa-693975[.]html
- **Siemens Operational Guidelines:** hxxps://www[.]siemens[.]com/cert/operational-guidelines-industrial-security
- **Firmware Downloads:** hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/109825153/ (CP 1242-7) and hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/109828349/ (CP 1543-1)