Siemens SIMATIC S7-300 Denial-of-Service Vulnerability

Monitor7.5ICS-CERT ICSA-16-161-01Mar 13, 2016

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SIMATIC S7-300 CPUs are vulnerable to a denial-of-service (DoS) attack. An attacker can send specially crafted packets to the device, causing it to become unresponsive. The vulnerability affects both Profinet-enabled (firmware ≤3.2.12) and non-Profinet variants (firmware ≤3.3.12). No patch is available from Siemens; the product line is legacy hardware that will not receive updates. The only mitigation is network segmentation and access controls to prevent untrusted hosts from reaching the PLC.

What this means

What could happen

An attacker with network access to a SIMATIC S7-300 PLC can send specially crafted packets to freeze the device, stopping it from responding to commands and halting any process it controls (pump, valve, motor operations).

Who's at risk

Water and electric utilities, wastewater treatment plants, and industrial facilities using SIMATIC S7-300 CPUs for critical process control (pump stations, valve control, motor operation). Both Profinet-enabled and non-Profinet variants are affected.

How it could be exploited

An attacker on the network sends malformed Profinet or S7 protocol packets to the target S7-300 CPU on port 102 (S7 communication) or port 34962 (Profinet). The device fails to validate the packet structure and crashes or becomes unresponsive, denying service to legitimate operators.

Prerequisites

Network access to the S7-300 CPU (port 102 for S7 protocol or port 34962 for Profinet)
No authentication required
SIMATIC S7-300 CPU must be reachable from attacker's network segment

remotely exploitableno authentication requiredlow complexityno patch availableaffects control of physical operations

Exploitability

Moderate exploit probability (EPSS 4.9%)

Affected products (2)

2 EOL

ProductAffected VersionsFix Status

SIMATIC S7-300 CPUs without Profinet support: <=3.3.12≤ 3.3.12No fix (EOL)

SIMATIC S7-300 CPUs with Profinet support: <=3.2.12≤ 3.2.12No fix (EOL)

Remediation & Mitigation

0/3

Do now

0/2

HARDENINGImplement network segmentation: isolate S7-300 CPUs from external networks and corporate IT networks using firewalls or air-gapping. Restrict access to port 102 and port 34962 to only authorized engineering workstations.

WORKAROUNDDeploy a network intrusion detection system (IDS) or firewall rule to drop malformed Profinet and S7 protocol packets destined for S7-300 devices.

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: SIMATIC S7-300 CPUs without Profinet support: <=3.3.12, SIMATIC S7-300 CPUs with Profinet support: <=3.2.12. Apply the following compensating controls:

HARDENINGEstablish OT network access controls: require all field device access to go through a jump host or engineering workstation with audit logging. No direct remote access to PLCs from the internet or untrusted networks.

CVEs (1)

CVE-2016-3949

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5006888b-ca75-4d6a-9272-eb54bf4f0844