Full Report
SENTRON 3KC ATC6 Expansion Module Ethernet exposes an unused, unstable http service at port 80/tcp on the Modbus-TCP Ethernet, which could allow an attacker on the same Modbus network to create a denial of service condition that forces the device to reboot. Siemens is preparing fix versions and recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Unused HTTP Service Denial of Service in SENTRON 3KC ATC6
## CVE Details
- **CVE ID:** CVE-2024-22044
- **CVSS Score:** 7.5 (High) - CVSS v3.1 / 8.7 (High) - CVSS v4.0
- **CWE:** CWE-912 (Hidden Functionality)
## Affected Systems
- **Products:** SENTRON 3KC ATC6 Expansion Module Ethernet (Model: 3KC9000-8TL75)
- **Versions:** All versions
- **Configurations:** Devices connected to a Modbus-TCP Ethernet network.
## Vulnerability Description
The affected expansion modules expose an undocumented and unstable HTTP service on port 80/tcp. This service is not intended for standard use and lacks stability. An attacker with network access to the Modbus-TCP interface can interact with this port to trigger a system instability, resulting in a Denial of Service (DoS) condition that forces the device to reboot.
## Exploitation
- **Status:** Not exploited (No reports of active exploitation in the wild; no PoC currently listed in advisory).
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** High (Device reboot/persistent Denial of Service)
## Remediation
### Patches
- **Currently no fix is available.** Siemens is currently preparing firmware updates to address this vulnerability.
### Workarounds
- **Port Blocking:** Restrict access to the Modbus-TCP network by blocking all incoming traffic to port 80/tcp using an external firewall.
- **Network Isolation:** Ensure the Modbus-TCP network is isolated from untrusted networks and the internet.
- **Operational Guidelines:** Adhere to Siemens' operational guidelines for Industrial Security to ensure the device is operated within a protected IT environment.
## Detection
- **Indicators of Compromise:** Unexpected/frequent reboots of the SENTRON 3KC ATC6 module.
- **Detection Methods and Tools:**
- Network scanning (e.g., Nmap) to identify if port 80/tcp is open on the device IP.
- Monitoring network traffic for unauthorized HTTP requests directed at the expansion module.
## References
- **Vendor Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/html/ssa-918992[.]html
- **Siemens Industrial Security:** hxxps://www[.]siemens[.]com/industrialsecurity
- **Operational Guidelines:** hxxps://www[.]siemens[.]com/cert/operational-guidelines-industrial-security