Siemens OPC UA Protocol Stack Discovery Service (Update E)

Plan Patch8.2ICS-CERT ICSA-17-243-01Aug 30, 2017

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Various Siemens industrial automation products use the OPC UA protocol stack Discovery Service, which is vulnerable to remote resource consumption attacks (CVE-2017-12069). An attacker can send malicious discovery requests that cause excessive CPU and memory usage on affected systems, leading to denial of service. Affected products include SIMATIC IT Production Suite, SIMATIC NET PC Software, SIMATIC PCS 7, SIMATIC WinCC, and WinCC Runtime Professional.

What this means

What could happen

An attacker could send malicious OPC UA discovery requests to cause excessive resource consumption on affected HMI, PCS, and historian systems, potentially leading to denial of service and loss of visibility or control over industrial processes.

Who's at risk

Manufacturing facilities using Siemens SIMATIC IT, WinCC (HMI/SCADA), PCS 7 (process control), or NET PC Software for supervisory control and data access. Any plant relying on these systems for production visibility or process monitoring is affected.

How it could be exploited

An attacker sends specially crafted OPC UA protocol packets to the Discovery Service port on an affected system. The malformed requests cause the service to consume excessive CPU and memory resources, degrading or crashing the application. No authentication is required for the discovery service.

Prerequisites

Network access to OPC UA Discovery Service port (typically UDP 4840 or TCP 4840)
OPC UA Discovery Service must be enabled and accessible from attacker's network segment

remotely exploitableno authentication requiredlow complexityaffects availability (denial of service)no patch available for some products

Exploitability

Low exploit probability (EPSS 0.9%)

Affected products (6)

3 with fix3 EOL

ProductAffected VersionsFix Status

SIMATIC IT Production Suite≥ V6.5 and <V7.17.1

SIMATIC NET PC Software V14<V14 SP1 Update 1414 SP1 Update 14

SIMATIC WinCC Runtime Professional V14<V14 SP114 SP1

SIMATIC WinCC<V7.2No fix (EOL)

SIMATIC PCS 78.0|8.1No fix (EOL)

SIMATIC WinCC Runtime Professional V13All versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/1

SIMATIC WinCC

WORKAROUNDFor SIMATIC PCS 7 (8.0/8.1) and SIMATIC WinCC V7.2 without vendor fixes available: disable OPC UA Discovery Service if not in use, or restrict network access to the Discovery Service port via firewall rules to engineering networks only

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

SIMATIC IT Production Suite

HOTFIXUpdate SIMATIC IT Production Suite to version 7.1 or later

SIMATIC WinCC Runtime Professional V14

HOTFIXUpdate SIMATIC WinCC Runtime Professional V14 to version 14 SP1 or later

All products

HOTFIXUpdate SIMATIC NET PC Software to version 14 SP1 Update 14 or later

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: SIMATIC WinCC, SIMATIC PCS 7, SIMATIC WinCC Runtime Professional V13. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate OPC UA Discovery Service from untrusted network segments

CVEs (1)

CVE-2017-12069

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ca47821e-157a-48c0-94fe-1fe0a4844e60