CVE-2023-30756

Name of the Vulnerable Software and Affected Versions SIMATIC CP 1242-7 V2 (incl. SIPLUS variants) versions prior to V3.5.20 SIMATIC CP 1243-1 (incl. SIPLUS variants) versions prior to V3.5.20 SIMATIC CP 1243-1 DNP3 (incl. SIPLUS variants) versions prior to V3.5.20 SIMATIC CP 1243-1 IEC (incl. SIPLUS variants) versions prior to V3.5.20 SIMATIC CP 1243-7 LTE versions prior to V3.5.20 SIMATIC CP 1243-8 IRC (6GK7243-8RX30-0XE0) versions prior to V3.5.20 SIMATIC HMI Comfort Panels (incl. SIPLUS variants) (affected versions not specified) SIMATIC IPC DiagBase (affected versions not specified) SIMATIC IPC DiagMonitor (affected versions not specified) SIMATIC WinCC Runtime Advanced (affected versions not specified) SIPLUS TIM 1531 IRC (6AG1543-1MX00-7XE0) versions prior to V2.4.8 TIM 1531 IRC (6GK7543-1MX00-0XE0) versions prior to V2.4.8

Description A vulnerability has been identified in the web server of the affected devices, which do not properly handle certain errors when using the Expect HTTP request header, resulting in a NULL dereference. This could allow a remote attacker with no privileges to cause a denial of service condition in the system by manipulating the Expect field of the HTTP request header.

Recommendations For SIMATIC CP 1242-7 V2 (incl. SIPLUS variants) versions prior to V3.5.20, update to version V3.5.20 or later. For SIMATIC CP 1243-1 (incl. SIPLUS variants) versions prior to V3.5.20, update to version V3.5.20 or later. For SIMATIC CP 1243-1 DNP3 (incl. SIPLUS variants) versions prior to V3.5.20, update to version V3.5.20 or later. For SIMATIC CP 1243-1 IEC (incl. SIPLUS variants) versions prior to V3.5.20, update to version V3.5.20 or later. For SIMATIC CP 1243-7 LTE versions prior to V3.5.20, update to version V3.5.20 or later. For SIMATIC CP 1243-8 IRC (6GK7243-8RX30-0XE0) versions prior to V3.5.20, update to version V3.5.20 or later. For SIPLUS TIM 1531 IRC (6AG1543-1MX00-7XE0) versions prior to V2.4.8, update to version V2.4.8 or later. For TIM 1531 IRC (6GK7543-1MX00-0XE0) versions prior to V2.4.8, update to version V2.4.8 or later. At the moment, there is no information about a newer version that contains a fix for SIMATIC HMI Comfort Panels, SIMATIC IPC DiagBase, SIMATIC IPC DiagMonitor, and SIMATIC WinCC Runtime Advanced.