PatchSiren cyber security CVE debrief
CVE-2023-27321 Siemens CVE debrief
A high-severity denial-of-service vulnerability in OPC Foundation UA .NET Standard's ConditionRefresh request handling allows unauthenticated remote attackers to exhaust server resources. The flaw, originally reported as ZDI-CAN-20505, affects Siemens TIM 1531 IRC industrial communication modules. Attackers can trigger resource exhaustion by sending a high volume of ConditionRefresh requests without authentication, causing complete service unavailability. Siemens has released firmware version 2.4.8 to address this vulnerability.
- Vendor
- Siemens
- Product
- SIPLUS TIM 1531 IRC (6AG1543-1MX00-7XE0)
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-06-11
- Original CVE updated
- 2024-07-09
- Advisory published
- 2024-06-11
- Advisory updated
- 2024-07-09
Who should care
Organizations operating Siemens TIM 1531 IRC industrial communication modules in manufacturing, energy, water/wastewater, or other OT environments. Security teams responsible for OPC UA infrastructure and industrial control system availability. Asset owners requiring continuous operation of alarm and condition monitoring systems.
Technical summary
The vulnerability resides in OPC Foundation UA .NET Standard's implementation of the ConditionRefresh service, which allows clients to request updated status of active alarms and conditions. The implementation fails to properly limit resource consumption when processing these requests. An unauthenticated remote attacker can send a large number of ConditionRefresh requests to exhaust server memory, CPU, or connection resources, resulting in complete denial of service. The attack requires no authentication and has low complexity, making it suitable for automated exploitation. Affected Siemens products include SIPLUS TIM 1531 IRC (6AG1543-1MX00-7XE0) and TIM 1531 IRC (6GK7543-1MX00-0XE0) when running vulnerable OPC UA .NET Standard versions.
Defensive priority
high
Recommended defensive actions
- Apply vendor fix: Update affected Siemens TIM 1531 IRC devices to firmware version 2.4.8 or later
- Implement network segmentation to restrict OPC UA server access to authorized clients only
- Deploy rate limiting on OPC UA ConditionRefresh requests at network or application layer
- Monitor for anomalous volumes of ConditionRefresh requests as potential exploitation indicators
- Review and apply CISA ICS recommended practices for defense-in-depth strategies
- Validate that OPC UA servers implement proper resource quotas and connection limits
Evidence notes
CISA published advisory ICSA-24-165-06 on June 11, 2024, identifying this vulnerability in Siemens TIM 1531 IRC products. The underlying flaw exists in OPC Foundation UA .NET Standard's handling of ConditionRefresh requests. Siemens confirmed affected products and remediation in security advisory SSA-337522. CVSS 3.1 score of 7.5 reflects network attack vector, low complexity, no privileges required, and high availability impact.
Official resources
-
CVE-2023-27321 CVE record
CVE.org
-
CVE-2023-27321 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-06-11