CVE-2023-26554 Siemens CVE debrief

Who should care

Organizations operating Siemens SITOP UPS1600 uninterruptible power supply systems in industrial environments, particularly those with exposed NTP client services. OT security teams, ICS asset owners, and infrastructure operators relying on time synchronization for critical control systems should prioritize firmware updates.

Technical summary

The mstolfp function in NTP 4.2.8p15's libntp/mstolfp.c contains an out-of-bounds write when adding a null terminator. This vulnerability is exploitable against client ntpq processes but not against ntpd. Siemens SITOP UPS1600 10A, 20A, 40A, and EX 20A Ethernet/PROFINET models are affected. The vulnerability requires network access and high attack complexity, with no privileges or user interaction needed. Successful exploitation may result in low impact to confidentiality, integrity, and availability of the affected client process.

Defensive priority

medium

Recommended defensive actions

• Update affected Siemens SITOP UPS1600 devices to firmware version V2.5.4 or later
• Verify NTP client configurations and restrict ntpq access to authorized administrative hosts
• Monitor for anomalous NTP client process behavior or unexpected terminations
• Apply network segmentation to limit exposure of industrial control system NTP services
• Review CISA ICS recommended practices for defense-in-depth strategies

Evidence notes

The vulnerability description is sourced from CISA CSAF advisory ICSA-24-165-05, which references Siemens security advisory SSA-238730. The affected products are SITOP UPS1600 Ethernet/PROFINET devices with specific model numbers. The CVSS vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L confirms network accessibility with high attack complexity. The vendor fix requires updating to firmware version V2.5.4 or later.

Official resources