Siemens Industrial Products (Update S)
Plan Patch7.5ICS-CERT ICSA-17-339-01Nov 23, 2017
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Multiple Siemens industrial products with PROFINET connectivity are vulnerable to remote denial of service via specially crafted packets sent to port 161/UDP (SNMP). The vulnerability affects development kits, I/O modules (ET 200 series), PLCs (S7 series), motion controllers (SIMOTION), variable frequency drives (SINAMICS), and other networked industrial devices. Affected versions of these products do not properly validate or handle SNMP packets, allowing an attacker to crash or cause extended unavailability of the device. Siemens has released firmware updates for many products but states that some device families will not receive patches.
What this means
What could happen
An attacker on the network could send malicious SNMP packets to crash Siemens industrial controllers and I/O devices, causing them to stop responding and disrupting manufacturing, motion control, or drive operations until the device is manually rebooted. Depending on device criticality, this could halt production lines or cause loss of equipment control.
Who's at risk
Manufacturing plants, food and beverage facilities, automotive assembly lines, and utilities using Siemens PROFINET-based equipment should assess their exposure. This includes operators of S7-200/300/400/1200/1500 PLC families, ET 200 series distributed I/O modules, SINAMICS variable frequency drives, SIMOTION motion controllers, and TDC process controllers. Any facility using these devices for critical process control is at risk.
How it could be exploited
An attacker with network access to the affected device sends a specially crafted SNMP packet to UDP port 161. The device does not validate the packet correctly and crashes or becomes unresponsive, stopping its normal operation. No authentication or engineering credentials are required.
Prerequisites
- Network access to UDP port 161 on the affected device (internal plant network or externally if device is internet-reachable)
- No authentication required
- Default SNMP configuration or SNMP enabled on the device
Remotely exploitable over networkNo authentication requiredLow complexity to exploitAffects core industrial control devices (PLCs, I/O modules, drives, motion controllers)Many product variants have no fix availableSNMP typically enabled by default on Siemens devices
Exploitability
Moderate exploit probability (EPSS 5.3%)
Affected products (78)
47 with fix31 pending
ProductAffected VersionsFix Status
Development/Evaluation Kits for PROFINET IO: DK Standard Ethernet Controller<V4.1.1 Patch 054.1.1 Patch 05
Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200<V4.54.5
Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200P<V4.54.5
SIMATIC Compact Field UnitAll versionsNo fix yet
SIMATIC ET 200AL IM 157-1 PN<V1.0.21.0.2
Remediation & Mitigation
0/6
Do now
0/2WORKAROUNDDisable SNMP on all industrial devices where SNMP functionality is not required for monitoring or management
HARDENINGRestrict network access to UDP port 161 (SNMP) on industrial devices using firewall rules or access control lists. Block SNMP traffic from untrusted or external network segments
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate affected Siemens industrial devices to patched firmware versions as listed by Siemens (e.g., S7-1200 to v4.2.3, S7-1500 to v2.0, SINAMICS drives to specified versions)
Long-term hardening
0/3HARDENINGImplement network segmentation and cell protection to isolate industrial control systems from general IT networks and prevent direct network paths to SNMP ports
HARDENINGUse VPN or encrypted tunnels for any remote access to management interfaces that require SNMP
HARDENINGFor products with no fix available (e.g., SIMATIC ET 200M, ET 200S, SIMOTION P, SINAMICS S120 prior to v4.7), prioritize network isolation and firewall protection as permanent mitigations
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/fac5829a-d456-487d-8459-e54ae3eb1b52