Full Report
Multiple vulnerabilities in the affected products could allow an unauthorized attacker with network access to the webserver to perform a denial of service attack. Siemens has released a new version for SINAMICS S120 (incl. SIPLUS variants) and recommends to update to the latest version. Siemens recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Multiple DoS Vulnerabilities in Siemens Industrial Webservers
## CVE Details
- **CVE ID:** CVE-2022-47374
- **CVSS Score:** 7.5 (High)
- **CWE:** CWE-674 (Uncontrolled Recursion)
- **CVE ID:** CVE-2022-47375
- **CVSS Score:** 7.5 (High)
- **CWE:** CWE-805 (Buffer Access with Incorrect Length Value)
## Affected Systems
- **Products:**
- SIMATIC S7-400 CPU 412-2 PN, 414-3 PN/DP, 414F-3 PN/DP, 416-3 PN/DP, 416F-3 PN/DP (V7)
- SIPLUS S7-400 CPU 414-3 PN/DP, 416-3 PN/DP (V7)
- SIMATIC PC-Station Plus
- SINAMICS S120 (including SIPLUS variants)
- **Versions:**
- S7-400/SIPLUS variants: All versions
- SIMATIC PC-Station Plus: All versions
- SINAMICS S120: All versions prior to V5.2 SP3 HF15
- **Configurations:** Systems with the integrated webserver enabled and accessible via the network.
## Vulnerability Description
The affected products contain two distinct flaws in their webserver implementations:
1. **Uncontrolled Recursion (CVE-2022-47374):** The webserver fails to correctly process specific HTTP(S) requests. An attacker can exploit this to exhaust system resources, leading to a Denial of Service (DoS) of the device.
2. **Buffer Overflow (CVE-2022-47375):** The webserver does not properly validate length when handling long file names. This can trigger a buffer overflow, resulting in a DoS condition.
## Exploitation
- **Status:** PoC available (indicated by CVSS "Exploit Code Maturity: Proof-of-Concept")
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** High (The primary impact is the loss of device availability/functionality)
## Remediation
### Patches
- **SINAMICS S120 (incl. SIPLUS):** Update to **V5.2 SP3 HF15** or later.
- **Other products:** No fix is currently planned for SIMATIC S7-400 V7 or PC-Station Plus.
### Workarounds
- **Disable Webserver:** Turn off the webserver functionality on the affected device if not required.
- **Access Control:** Restrict webserver access to trusted users and authorized workstations only.
- **Network Segmentation:** Ensure devices are operated within a protected IT/OT environment according to Siemens' operational guidelines.
## Detection
- **Indicators of Compromise:** Unexpected device reboots, webserver unresponsiveness, or network service interruptions on the management ports.
- **Detection Methods:** Monitor network traffic for unusual HTTP(S) request patterns, specifically those containing abnormally long file names or deeply nested structures.
## References
- **Vendor Advisory:** hxxps://cert-portal.siemens[.]com/productcert/html/ssa-892915.html
- **SINAMICS S120 Download:** hxxps://support.industry.siemens[.]com/cs/ww/en/view/109780844/
- **Operational Guidelines:** hxxps://www.siemens[.]com/cert/operational-guidelines-industrial-security