CVE-2023-38380 Siemens CVE debrief

Who should care

Industrial control system operators, OT security teams, and manufacturing infrastructure managers deploying Siemens SIMATIC ET 200SP distributed I/O systems with affected communication processors. Organizations in critical manufacturing, energy, and process industries relying on these modules for PLC-to-network connectivity should prioritize patching.

Technical summary

The embedded webserver in affected Siemens SIMATIC CP and SIPLUS ET 200SP communication processors fails to properly deallocate memory after processing requests. This implementation flaw allows remote attackers to trigger cumulative memory exhaustion, resulting in webserver unavailability. The vulnerability is network-exploitable without authentication, presenting significant risk to OT environments where these modules provide Ethernet connectivity for distributed I/O systems. Attack vectors require only TCP/IP connectivity to the device's webserver port.

Defensive priority

high

Recommended defensive actions

• Apply Siemens firmware update to V2.3 or later for affected SIMATIC CP 1542SP-1, CP 1542SP-1 IRC, CP 1543SP-1, and SIPLUS ET 200SP variants
• Restrict network access to affected communication processors using firewall rules or network segmentation
• Monitor webserver availability and memory utilization on affected devices for signs of resource exhaustion
• Implement defense-in-depth strategies per CISA ICS recommended practices for industrial control systems
• Verify firmware version through Siemens Industry Online Support portal before and after remediation

Evidence notes

Memory exhaustion vulnerability in embedded webserver; no authentication required; affects industrial control system communication modules. CISA ICS advisory ICSA-24-165-10 coordinates with Siemens SSA-625862.

Official resources