Siemens Industrial Products (Update S)

Plan PatchCVSS 7.5ICS-CERT ICSA-17-339-01Nov 23, 2017

SiemensManufacturingTransportation

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple Siemens industrial products with PROFINET connectivity are vulnerable to remote denial of service via specially crafted packets sent to port 161/UDP (SNMP). The vulnerability affects development kits, I/O modules (ET 200 series), PLCs (S7 series), motion controllers (SIMOTION), variable frequency drives (SINAMICS), and other networked industrial devices. Affected versions of these products do not properly validate or handle SNMP packets, allowing an attacker to crash or cause extended unavailability of the device. Siemens has released firmware updates for many products but states that some device families will not receive patches.

What this means

What could happen

An attacker on the network could send malicious SNMP packets to crash Siemens industrial controllers and I/O devices, causing them to stop responding and disrupting manufacturing, motion control, or drive operations until the device is manually rebooted. Depending on device criticality, this could halt production lines or cause loss of equipment control.

Who's at risk

Manufacturing plants, food and beverage facilities, automotive assembly lines, and utilities using Siemens PROFINET-based equipment should assess their exposure. This includes operators of S7-200/300/400/1200/1500 PLC families, ET 200 series distributed I/O modules, SINAMICS variable frequency drives, SIMOTION motion controllers, and TDC process controllers. Any facility using these devices for critical process control is at risk.

How it could be exploited

An attacker with network access to the affected device sends a specially crafted SNMP packet to UDP port 161. The device does not validate the packet correctly and crashes or becomes unresponsive, stopping its normal operation. No authentication or engineering credentials are required.

Prerequisites

Network access to UDP port 161 on the affected device (internal plant network or externally if device is internet-reachable)
No authentication required
Default SNMP configuration or SNMP enabled on the device

Remotely exploitable over networkNo authentication requiredLow complexity to exploitAffects core industrial control devices (PLCs, I/O modules, drives, motion controllers)Many product variants have no fix availableSNMP typically enabled by default on Siemens devices

Exploitability

Some exploitation risk — EPSS score 5.3%

Affected products (78)

47 with fix31 pending

ProductAffected VersionsFix Status

Development/Evaluation Kits for PROFINET IO: DK Standard Ethernet Controller<V4.1.1 Patch 054.1.1 Patch 05

Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200<V4.54.5

Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200P<V4.54.5

SIMATIC Compact Field UnitAll versionsNo fix yet

SIMATIC ET 200AL IM 157-1 PN<V1.0.21.0.2

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDDisable SNMP on all industrial devices where SNMP functionality is not required for monitoring or management

HARDENINGRestrict network access to UDP port 161 (SNMP) on industrial devices using firewall rules or access control lists. Block SNMP traffic from untrusted or external network segments

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate affected Siemens industrial devices to patched firmware versions as listed by Siemens (e.g., S7-1200 to v4.2.3, S7-1500 to v2.0, SINAMICS drives to specified versions)

Long-term hardening

0/3

HARDENINGImplement network segmentation and cell protection to isolate industrial control systems from general IT networks and prevent direct network paths to SNMP ports

HARDENINGUse VPN or encrypted tunnels for any remote access to management interfaces that require SNMP

HARDENINGFor products with no fix available (e.g., SIMATIC ET 200M, ET 200S, SIMOTION P, SINAMICS S120 prior to v4.7), prioritize network isolation and firewall protection as permanent mitigations

CVEs (1)

CVE-2017-12741

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/fac5829a-d456-487d-8459-e54ae3eb1b52

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.