Siemens has issued an advisory regarding vulnerabilities in its SIMATIC and SIMIT products, dated July 11, 2024. The vulnerabilities, identified as CVE-2023-52891, stem from an issue with improperly controlled sequential memory allocation in Siemens’ products, which could lead to high load conditions, memory exhaustion, and potentially block the server. The affected products include SIMATIC Energy Manager Basic, SIMATIC Energy Manager PRO, SIMATIC IPC DiagBase, SIMATIC IPC DiagMonitor, SIMIT V10, and certain versions of SIMIT V11. The issue, with a CVSS v3 base score of 5.3, is recognized as having low attack complexity and can be exploited remotely.
The affected Siemens products, particularly those using the Unified Automation .NET based OPC UA Server SDK prior to version 3.2.2, are vulnerable to similar issues as those documented in CVE-2023-27321. The vulnerability could result in significant operational disruptions, such as memory exhaustion and server blockage, if exploited. Siemens has advised users to update their software versions to mitigate risks, with updates available for SIMIT V11 and SIMATIC Energy Manager products. For SIMATIC IPC DiagBase and DiagMonitor, no fixes are currently available, and no updates are planned for SIMIT V10 at this time.
In response, Siemens recommends several mitigating actions to reduce the risk. Users should update to the latest versions of affected products where possible, disable the OPC UA server if not in use, and restrict access to trusted clients. For enhanced security, Siemens also advises protecting network access through appropriate measures, configuring devices according to operational security guidelines, and following recommendations in product manuals. Although Siemens has not yet provided fixes for all affected versions, these actions can help mitigate potential exploitation.
CISA supports these recommendations and emphasizes minimizing network exposure for control systems and employing secure remote access methods like VPNs. Organizations should perform impact analyses and risk assessments before implementing defensive measures. Additionally, CISA highlights the importance of not engaging with unsolicited email links or attachments to avoid social engineering attacks. Users are encouraged to consult CISA’s resources and maintain vigilance against potential threats, as there have been no reported cases of public exploitation targeting this specific vulnerability.