Full Report
A vulnerability exists in affected products that could allow remote attackers to affect the availability of the devices under certain conditions. The integrated ICMP services in the underlying TCP/IP stack is vulnerable to a denial of service attack through specially crafted ICMP packets. A successful attack will impact the availability of ICMP services on affected products for a limited time before it restores itself after the attack ceases. Other communication services are not affected by this vulnerability. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Denial of Service of ICMP in Siemens Industrial Devices
## CVE Details
- **CVE ID:** CVE-2024-23814
- **CVSS Score:**
- **v3.1:** 5.3 (Medium) | `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L`
- **v4.0:** 6.9 (Medium) | `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N`
- **CWE:** CWE-400 (Uncontrolled Resource Consumption)
## Affected Systems
- **Products:**
- SIDOOR (ATD430W, ATE530G/S)
- SIMATIC CFU (DIQ, PA)
- SIMATIC ET 200 (AL, M, PN/PN Coupler)
- SIMATIC S7-300 / S7-400 / S7-410
- SIMATIC S7-1500 (V1 Firmware line only)
- SIPLUS variants of the above
- **Versions:**
- SIMATIC CFU: Versions < V2.0.0
- SIMATIC S7-1500: Firmware line V1.x (V2, V3, and V4 are **not** affected)
- PN/PN Coupler: Versions < V6.0.0
- **Configurations:** Devices using the integrated ICMP services in the underlying TCP/IP stack.
## Vulnerability Description
The integrated ICMP service within the network stack of affected devices fails to properly manage memory resources during the re-assembly of IP fragments. By sending specially crafted packets targeting IP fragment re-assembly, a remote attacker can exhaust available memory resources. This results in a temporary Denial of Service (DoS) of the ICMP service.
## Exploitation
- **Status:** PoC Available (Exploitation: Functional per CVSS "E:P" vector)
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** Low (Only ICMP services are impacted; other communication services remain operational. The service restores itself after the attack ceases.)
## Remediation
### Patches
- **SIMATIC CFU DIQ:** Update to V2.0.0 or later.
- **SIMATIC CFU PA:** Update to V2.0 or later.
- **SIMATIC PN/PN Coupler (6ES7158-3AD10-0XA0):** Update to V6.0.0 or later.
- **SIPLUS NET PN/PN Coupler (6AG2158-3AD10-4XA0):** Update to V6.0.0 or later.
- **SIMATIC S7-1500:** Use firmware lines V2, V3, or V4 (not affected).
### Workarounds
- **No Fix Planned:** For SIDOOR, ET 200AL, ET 200M, and SIPLUS S7-300, users should follow general security recommendations.
- **Network Segmentation:** Minimize network exposure for control system devices and ensure they are not accessible from the Internet.
- **Firewall Filtering:** Use firewalls to filter or restrict ICMP traffic to trusted sources only.
## Detection
- **Indicators of Compromise:** Temporary loss of "Ping" (ICMP Echo Request) responsiveness from the device while other industrial protocols (Profinet, S7 Comm) continue to function normally.
- **Detection Methods:** Monitor for unusual peaks in fragmented IP traffic or ICMP traffic originating from untrusted network segments.
## References
- **Vendor Advisory:** [https://cert-portal.siemens.com/productcert/pdf/ssa-725549.pdf](https://cert-portal.siemens.com/productcert/pdf/ssa-725549.pdf)
- **Siemens ProductCERT:** [https://www.siemens.com/cert/advisories](https://www.siemens.com/cert/advisories)
- **Support Link 1:** [https://support.industry.siemens.com/cs/ww/en/view/109781049/](https://support.industry.siemens.com/cs/ww/en/view/109781049/)
- **Support Link 2:** [https://support.industry.siemens.com/cs/ww/en/view/109754628/](https://support.industry.siemens.com/cs/ww/en/view/109754628/)