Vulnerability in SIMATIC Communication Processors and HMI Panels
CVE-2023-30756

5.9MEDIUM

Key Information:

Vendor: Siemens
Status: Simatic Cp 1242-7 V2 (incl. Siplus Variants); Simatic Cp 1243-1 (incl. Siplus Variants); Simatic Cp 1243-1 Dnp3 (incl. Siplus Variants); Simatic Cp 1243-1 Iec (incl. Siplus Variants)
Vendor: CVE Published:; 10 September 2024

Summary

A security vulnerability has been identified in specific versions of SIMATIC CP communication processors and HMI Comfort Panels by Siemens. The web server on these devices fails to handle particular errors when the Expect HTTP request header is used, leading to a NULL dereference issue. This flaw allows a remote attacker to exploit the vulnerability without requiring additional privileges, thereby potentially initiating a denial of service condition. Users of affected products are advised to assess their systems and apply the necessary updates to mitigate risks associated with this vulnerability.

Affected Version(s)

SIMATIC CP 1242-7 V2 (incl. SIPLUS variants) 0

SIMATIC CP 1243-1 (incl. SIPLUS variants) 0

SIMATIC CP 1243-1 DNP3 (incl. SIPLUS variants) 0

References

https://cert-portal.siemens.com/productcert/html/ssa-4238...

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 10, 2024
Vulnerability Reserved
Apr 14, 2023