Full Report
The OPC UA implementations (ANSI C and C++) as used in several SIMATIC products contain a denial of service vulnerability that could allow an unauthenticated remote attacker to create a denial of service condition by sending a specially crafted certificate. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Denial of Service in Siemens SIMATIC OPC UA Implementations
## CVE Details
- **CVE ID:** CVE-2023-28831
- **CVSS Score:**
- CVSS v3.1: 7.5 (High)
- CVSS v4.0: 8.7 (High)
- **CWE:** Not specifically listed in advisory (typically related to Improper Certificate Validation or Resource Exhaustion)
## Affected Systems
- **Products:** Various SIMATIC products using OPC UA ANSI C and C++ implementations.
- **Specific Versions:**
- **SIMATIC BRAUMAT:** All versions < V30.1.0
- **SIMATIC NET PC Software:** V14 (All), V16 (< V16 Update 8), V17 (< V17 Update 1), V18 (< V18 Update 1)
- **SIMATIC PCS 7:** V9.1 (< V9.1 SP2 UC08)
- **SIMATIC S7-1500 CPU Family:** (Including ET 200 and SIPLUS variants) Versions prior to V2.9.7
- **SIMATIC WinCC OA:** V3.17, V3.18, V3.19
- **SIMATIC WinCC (Classic/Runtime Pro):** Various versions including WinCC V7.5, V8.0, and V19
- **Other affected:** SIMATIC IPC DiagMonitor, SIMATIC PCS neo V4.0, SIMATIC Comfort/Mobile RT, SIMATIC WinCC Unified.
## Vulnerability Description
The vulnerability exists within the OPC UA ANSI C and C++ stacks used by Siemens SIMATIC products. A flaw in how these implementations process incoming security certificates allows an attacker to trigger a Denial of Service (DoS) condition. By sending a specially crafted certificate during the handshake or authentication process, the attacker can cause the service to crash or become unresponsive.
## Exploitation
- **Status:** Not reported as exploited in the wild (as of advisory date).
- **Complexity:** Low
- **Attack Vector:** Network (Unauthenticated remote access)
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** High (The primary impact is the loss of the OPC UA communication service and potential disruption of associated industrial processes).
## Remediation
### Patches
Siemens has released several updates. Notable fixes include:
- **SIMATIC BRAUMAT:** Update to V30.1.0 or later.
- **SIMATIC NET PC:** V16 Update 8, V17 SP1 Update 1, or V18 Update 1.
- **SIMATIC PCS 7:** Update to V9.1 SP2 UC08.
- **SIMATIC S7-1500 CPUs:** Update to V2.9.7 or later.
- **SIMATIC WinCC:** V8.0 or WinCC Runtime Professional V19.
### Workarounds
For products where no fix is planned (e.g., IPC DiagMonitor, PCS neo V4.0, SIMATIC NET PC V14):
- **Disable OPC UA:** If the service is not required, disable the OPC UA server/client to close the attack vector.
- **Network Segmentation:** Use firewalls to restrict access to the OPC UA ports (typically TCP/4840) to trusted IP addresses only.
- **VPN:** Use Secure VPN tunnels for any remote access to the industrial network.
## Detection
- **Indicators of Compromise:** Unexpected crashing of the `OpcUaServer.exe` process or similar service modules following a connection attempt.
- **Detection Methods:** Monitor network traffic for unusual certificate exchange patterns or repeated failed connection attempts to OPC UA endpoints. Utilize industrial IDS/IPS signatures specifically targeting OPC UA protocol anomalies.
## References
- **Siemens Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/html/ssa-711309[.]html
- **Siemens ProductCERT:** hxxps://www[.]siemens[.]com/cert/advisories