CVE-2023-28450 Siemens CVE debrief

Who should care

Organizations operating Siemens SCALANCE M-800, RUGGEDCOM RM1224, or S615 series industrial routers in manufacturing, energy, transportation, and critical infrastructure sectors. Network administrators responsible for DNS infrastructure in OT/ICS environments. Security teams managing industrial control system asset inventory and patch management programs.

Technical summary

The vulnerability stems from Dnsmasq's default EDNS.0 UDP packet size of 4096 bytes, which exceeds the 1232-byte recommendation established by DNS Flag Day 2020. When Dnsmasq sends queries with large UDP payloads to DNS servers that enforce stricter limits or have path MTU issues, responses may be dropped or fragmented, causing DNS resolution failures. This affects availability of name resolution services on embedded devices using affected Dnsmasq versions. The Siemens SCALANCE M-800 family incorporates this vulnerable component, impacting industrial network infrastructure. Resolution requires firmware update to version 8.2 or later which incorporates Dnsmasq 2.90 or newer with corrected defaults.

Defensive priority

HIGH

Recommended defensive actions

• Update affected Siemens SCALANCE M-800 family devices to firmware version 8.2 or later
• Review DNS infrastructure for compatibility with EDNS.0 packet size limitations
• Monitor DNS resolution performance and availability on affected industrial networks
• Apply network segmentation for industrial control systems per CISA recommended practices
• Verify DNS server configurations support fallback to TCP for large responses

Evidence notes

CVE published 2024-11-12; modified 2025-05-06. CISA CSAF advisory ICSA-24-319-06 published same date. Siemens SSA-354112 referenced as primary vendor advisory. CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C. Affects 26 Siemens industrial router products. Vendor fix available: update to V8.2 or later.

Official resources