Siemens has a new version to handle an uncontrolled resource consumption vulnerability in its SIMOCODE pro V EIP, according to a report with NCCIC.
Successful exploitation of this remotely exploitable vulnerability, which Siemens self-reported, could cause a denial-of-service condition.
A motor management system for low-voltage motors, SIMOCODE pro V EIP all versions prior to v1.0.2 suffer from the issue.
In the vulnerability, specially crafted packets sent to Port 161/UDP could cause a denial-of-service condition. The affected devices must be restarted manually.
CVE-2017-12741 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.
The product sees use in the chemical, critical manufacturing, energy, food and agriculture, and water and wastewater systems sectors. It also sees action on a global basis.
Siemens recommends users upgrade to Version 1.0.2. Users who cannot upgrade because of hardware restrictions can apply the manual mitigations. Click here for updates.
Siemens also recommends users apply the following manual mitigations:
As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for Industrial Security and following the recommendations in the product manuals.
Click here for additional information on industrial security for Siemens devices.
For more information on this vulnerability and more detailed mitigation instructions, see Siemens Security Advisory SSA-141614.
No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.