Full Report
Two null point dereference vulnerabilities affect multiple SIMATIC software products. These could allow an attacker to cause a persistent denial of service condition in the RPC Server of these products. Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Denial of Service in SIMATIC Products via RPC Null Pointer Dereference
## CVE Details
- CVE ID: CVE-2023-48363, CVE-2023-48364
- CVSS Score: 6.5 (CVSS v3.1) / 7.1 (CVSS v4.0) (Medium/High)
- CWE: CWE-476: NULL Pointer Dereference Vulnerability
## Affected Systems
- Products: OpenPCS 7, SIMATIC BATCH, SIMATIC PCS 7, SIMATIC Route Control, SIMATIC WinCC Runtime Professional.
- Versions:
- OpenPCS 7 V9.1: All versions < V9.1 SP2 UC05
- SIMATIC BATCH V9.1: All versions < V9.1 SP2 UC05
- SIMATIC PCS 7 V9.1: All versions < V9.1 SP2 UC05
- SIMATIC Route Control V9.1: All versions < V9.1 SP2 UC05
- SIMATIC WinCC Runtime Professional V18: All versions < V18 Update 4
- SIMATIC WinCC Runtime Professional V19: All versions < V19 Update 2
- SIMATIC PCS 7: Affected generally, remediation points to V9.1 SP2 UC05 or later.
- SIMATIC WinCC Runtime Professional: Open for details.
- Configurations: Vulnerabilities reside in the handling of unorganized or malformed RPC messages within the RPC Server implementation.
## Vulnerability Description
Two distinct null point dereference vulnerabilities (CVE-2023-48363 and CVE-2023-48364) exist in the RPC implementation of the affected SIMATIC products.
1. **CVE-2023-48363:** The RPC server improperly handles certain **unorganized RPC messages**.
2. **CVE-2023-48364:** The RPC server improperly handles certain **malformed RPC messages**.
Successful exploitation allows an attacker to cause a persistent Denial of Service (DoS) condition by crashing the RPC Server component.
| Metric | Value (v3.1/v4.0) |
| :--- | :--- |
| Attack Vector (AV) | Adjacent Network (A) |
| Attack Complexity (AC) | Low (L) |
| Privileges Required (PR) | None (N) |
| User Interaction (UI) | None (N) |
| Availability Impact (A/VA) | High (H) |
## Exploitation
- Status: Exploitation Evidence available (E:P in CVSS vector, indicating proof-of-concept or known exploit).
- Complexity: Low (AC:L).
- Attack Vector: Adjacent Network (AV:A) (Implies the attacker needs some level of network access, likely remote exploitation within the local network segment hosting the RPC server).
## Impact
- Confidentiality: No Impact (N)
- Integrity: No Impact (N)
- Availability: High (H) - Leads to a persistent Denial of Service condition on the RPC Server.
## Remediation
### Patches
Siemens strongly recommends updating to the fixed versions listed below or later:
| Product | Remediation Version | Reference Link (Vendor Advisory) |
| :--- | :--- | :--- |
| SIMATIC PCS 7, OpenPCS 7, SIMATIC BATCH, SIMATIC Route Control (V9.1) | V9.1 SP2 UC05 or later | hxxps://support.industry.siemens.com/cs/ww/en/view/109812242/ |
| SIMATIC WinCC Runtime Professional V18 | V18 Update 4 or later | hxxps://support.industry.siemens.com/cs/ww/en/view/109807225/ |
| SIMATIC WinCC Runtime Professional V19 | V19 Update 2 or later | hxxps://support.industry.siemens.com/cs/ww/en/view/109820999/ |
### Workarounds
Siemens' advisory mentions further recommendations under the "Workarounds and Mitigations" section (which were not fully transcribed but typically involve network segmentation, firewalling RPC ports, or disabling unnecessary services).
## Detection
- Detection methods generally focus on monitoring external or unauthorized access attempts against the RPC services running on the affected SIMATIC components.
- Look for abnormal termination or crashing of the RPC Server process related to unexpected or malformed network traffic targeting RPC ports.
## References
- Siemens Advisory: SSA-753746
- Siemens ProductCERT Portal: hxxps://www.siemens.com/cert/advisories