CVE-2020-27632

Vulnerability

The TCP Initial Sequence Number (ISN) generator in the SIMATIC MV400 family prior to v7.0.6 is initialized with a constant value and increments by a constant amount for each new connection, as described in the CVE description [1]. This flaw resides in the TCP/IP stack implementation used by these devices. Any device running a version before v7.0.6 is affected [1].

Exploitation

An attacker can exploit this vulnerability remotely, without any prior authentication or user interaction, by monitoring the target device's TCP traffic to learn the ISN pattern. Since the ISN is never randomized, an attacker can predict the sequence numbers of future TCP connections and inject spoofed packets into an ongoing session [1]. The attack requires only low network access and the ability to observe one or more initial TCP handshakes [1].

Impact

Successful exploitation allows an attacker to hijack existing TCP sessions, spoof TCP connections, or inject malicious data into the data stream [1]. This can lead to denial-of-service conditions, bypassing of authentication mechanisms, and exfiltration or modification of data transmitted over the affected TCP connections [1]. The attacker gains the ability to impersonate a legitimate endpoint of a TCP session.

Mitigation

Siemens has released firmware version v7.0.6 for the SIMATIC MV400 family which fixes the TCP ISN generation by using a proper random seed [1]. Users should update to v7.0.6 or later. No workarounds are documented; blocking untrusted network access to affected devices is a compensating control [1]. The vulnerability is not known to be listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date.