Siemens SIMATIC NET CP, SINEMA & SCALANCE Integer Overflow (CVE-2021-41991)

high Tenable OT Security Plugin ID 500650

Synopsis

The remote OT asset is affected by a vulnerability.

Description

The in-memory certificate cache in strongSwan before 5.9.4 has a remote integer overflow upon receiving many requests with different certificates to fill the cache and later trigger the replacement of cache entries. The code attempts to select a less-often-used cache entry by means of a random number generator, but this is not done correctly. Remote code execution might be a slight possibility.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at CISA.gov.

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

- RUGGEDCOM RM1224 LTE(4G) EU (6GK6108-4AM00-2BA2), RUGGEDCOM RM1224 LTE(4G) NAM (6GK6108-4AM00-2DA2), SCALANCE M804PB (6GK5804-0AP00-2AA2), SCALANCE M812-1 ADSL-Router (Annex A) (6GK5812-1AA00-2AA2), SCALANCE M812-1 ADSL-Router (Annex B) (6GK5812-1BA00-2AA2), SCALANCE M816-1 ADSL-Router (Annex A) (6GK5816-1AA00-2AA2), SCALANCE M816-1 ADSL-Router (Annex B) (6GK5816-1BA00-2AA2), SCALANCE M826-2 SHDSL-Router (6GK5826-2AB00-2AB2), SCALANCE M874-2 (6GK5874-2AA00-2AA2), SCALANCE M874-3 (6GK5874-3AA00-2AA2), SCALANCE M876-3 (EVDO) (6GK5876-3AA02-2BA2), SCALANCE M876-3 (ROK) (6GK5876-3AA02-2EA2), SCALANCE M876-4 (EU) (6GK5876-4AA00-2BA2), SCALANCE M876-4 (NAM) (6GK5876-4AA00-2DA2), SCALANCE MUM853-1 (EU) (6GK5853-2EA00-2DA1), SCALANCE MUM856-1 (EU) (6GK5856-2EA00-3DA1), SCALANCE MUM856-1 (RoW) (6GK5856-2EA00-3AA1), SCALANCE S615 (6GK5615-0AA00-2AA2): Update to V7.1 or later version
- (CVE-2021-41991) SIMATIC CP 1242-7 V2 (6GK7242-7KX31-0XE0), SIMATIC CP 1243-1 (6GK7243-1BX30-0XE0), SIMATIC CP 1243-7 LTE EU (6GK7243-7KX30-0XE0), SIMATIC CP 1243-7 LTE US (6GK7243-7SX30-0XE0), SIMATIC CP 1243-8 IRC (6GK7243-8RX30-0XE0), SIMATIC CP 1542SP-1 (6GK7542-6UX00-0XE0), SIMATIC CP 1543-1 (6GK7543-1AX00-0XE0), SIMATIC CP 1545-1 (6GK7545-1GX00-0XE0), SIPLUS NET CP 1242-7 V2 (6AG1242-7KX31-7XE0), SIPLUS NET CP 1543-1 (6AG1543-1AX00-2XE0), SIPLUS S7-1200 CP 1243-1 (6AG1243-1BX30-2AX0), SIPLUS S7-1200 CP 1243-1 RAIL (6AG2243-1BX30-1XE0): Only deploy certificates via TIA portal that got created with TIA portal
- (CVE-2021-41991) SIMATIC CP 1542SP-1 (6GK7542-6UX00-0XE0), SIMATIC CP 1542SP-1 IRC (6GK7542-6VX00-0XE0), SIMATIC CP 1543SP-1 (6GK7543-6WX00-0XE0), SIPLUS ET 200SP CP 1542SP-1 IRC TX RAIL (6AG2542-6VX00-4XE0), SIPLUS ET 200SP CP 1543SP-1 ISEC (6AG1543-6WX00-7XE0), SIPLUS ET 200SP CP 1543SP-1 ISEC TX RAIL (6AG2543-6WX00-4XE0): Update to V2.2.28 or later version
- (CVE-2021-41991) SIMATIC CP 1242-7 V2 (6GK7242-7KX31-0XE0), SIMATIC CP 1243-1 (6GK7243-1BX30-0XE0), SIMATIC CP 1243-7 LTE EU (6GK7243-7KX30-0XE0), SIMATIC CP 1243-7 LTE US (6GK7243-7SX30-0XE0), SIMATIC CP 1243-8 IRC (6GK7243-8RX30-0XE0), SIPLUS NET CP 1242-7 V2 (6AG1242-7KX31-7XE0), SIPLUS S7-1200 CP 1243-1 (6AG1243-1BX30-2AX0), SIPLUS S7-1200 CP 1243-1 RAIL (6AG2243-1BX30-1XE0): Update to V3.3.46 or later version
- (CVE-2021-41991) SIMATIC CP 1545-1 (6GK7545-1GX00-0XE0): Update to V1.1 or later version
- (CVE-2021-41991) SINEMA Remote Connect Server: Update to V3.1 or later version
- (CVE-2021-41991) SCALANCE SC622-2C (6GK5622-2GS00-2AC2), SCALANCE SC632-2C (6GK5632-2GS00-2AC2), SCALANCE SC636-2C (6GK5636-2GS00-2AC2), SCALANCE SC642-2C (6GK5642-2GS00-2AC2), SCALANCE SC646-2C (6GK5646-2GS00-2AC2): Update to V2.3 or later version
- (CVE-2021-41991) SIMATIC CP 1543-1 (6GK7543-1AX00-0XE0), SIPLUS NET CP 1543-1 (6AG1543-1AX00-2XE0): Update to V3.0.22 or later version

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage

For more information see the associated Siemens security advisory SSA-539476 in HTML and CSAF.

Plugin Details

Severity: High

ID: 500650

File Name: tenable_ot_siemens_CVE-2021-41991.nasl

Version: 1.7

Type: remote

Family: Tenable.ot

Published: 4/28/2022

Updated: 2/14/2026

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2021-41991

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:siemens:scalance_sc646-2c_firmware:2.3, cpe:/o:siemens:siplus_et_200sp_cp_1542sp-1_irc_tx_rail_firmware:2.2.28, cpe:/o:siemens:scalance_m812-1_adsl-router_%28annex_b%29_firmware:7.1, cpe:/o:siemens:scalance_sc642-2c_firmware:2.3, cpe:/o:siemens:scalance_mum856-1_%28eu%29_firmware:7.1, cpe:/o:siemens:siplus_net_cp_1242-7_v2_firmware:3.3.46, cpe:/o:siemens:scalance_mum856-1_%28row%29_firmware:7.1, cpe:/o:siemens:simatic_cp_1542sp-1_irc_firmware:2.2.28, cpe:/o:siemens:simatic_cp_1542sp-1_firmware:2.2.28, cpe:/o:siemens:scalance_m876-4_%28nam%29_firmware:7.1, cpe:/o:siemens:scalance_m816-1_adsl-router_%28annex_a%29_firmware:7.1, cpe:/o:siemens:scalance_mum853-1_%28eu%29_firmware:7.1, cpe:/o:siemens:scalance_sc632-2c_firmware:2.3, cpe:/o:siemens:siplus_s7-1200_cp_1243-1_firmware:3.3.46, cpe:/o:siemens:siplus_et_200sp_cp_1543sp-1_isec_firmware:2.2.28, cpe:/o:siemens:simatic_cp_1243-7_lte_us_firmware:3.3.46, cpe:/o:siemens:simatic_cp_1243-8_irc_firmware:3.3.46, cpe:/o:siemens:scalance_m804pb_firmware:7.1, cpe:/o:siemens:siplus_s7-1200_cp_1243-1_rail_firmware:3.3.46, cpe:/o:siemens:scalance_m874-3_firmware:7.1, cpe:/o:siemens:simatic_cp_1243-1_firmware:3.3.46, cpe:/o:siemens:scalance_m816-1_adsl-router_%28annex_b%29_firmware:7.1, cpe:/o:siemens:siplus_et_200sp_cp_1543sp-1_isec_tx_rail_firmware:2.2.28, cpe:/o:siemens:scalance_s615_firmware:7.1, cpe:/o:siemens:ruggedcom_rm1224_lte%284g%29_nam_firmware:7.1, cpe:/o:siemens:ruggedcom_rm1224_lte%284g%29_eu_firmware:7.1, cpe:/o:siemens:simatic_cp_1543-1_firmware:2.2.28, cpe:/o:siemens:simatic_cp_1243-7_lte_eu_firmware:3.3.46, cpe:/o:siemens:simatic_cp_1242-7_v2_firmware:3.3.46, cpe:/o:siemens:scalance_m826-2_shdsl-router_firmware:7.1, cpe:/o:siemens:scalance_m876-3_%28evdo%29_firmware:7.1, cpe:/o:siemens:scalance_m812-1_adsl-router_%28annex_a%29_firmware:7.1, cpe:/o:siemens:scalance_sc622-2c_firmware:2.3, cpe:/o:siemens:scalance_sc636-2c_firmware:2.3, cpe:/o:siemens:scalance_m876-4_%28eu%29_firmware:7.1, cpe:/o:siemens:simatic_cp_1545-1_firmware:1.1, cpe:/o:siemens:siplus_net_cp_1543-1_firmware:3.0.22, cpe:/o:siemens:scalance_m874-2_firmware:7.1, cpe:/o:siemens:scalance_m876-3_%28rok%29_firmware:7.1, cpe:/o:siemens:simatic_cp_1543sp-1_firmware:2.2.28

Required KB Items: Tenable.ot/Siemens

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/18/2021

Vulnerability Publication Date: 10/18/2021

Reference Information

CVE: CVE-2021-41991

CWE: 190

DSA: 4989

FEDORA: 2021-0b37146973, 2021-95fab6a482, 2021-b3df83339e

ICSA: 25-259-03

Detections

Analytics