Siemens Medium Voltage SINAMICS Products (Update A)

Plan PatchCVSS 7.5ICS-CERT ICSA-18-128-01May 3, 2018

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple Siemens SINAMICS variable frequency drives and soft starters with PROFINET connectivity contain a vulnerability in input validation (CWE-20, CWE-400) that allows a remote attacker to send crafted PROFINET packets without authentication. The malformed packets cause the device firmware to crash or become unresponsive, resulting in denial of service to the connected motor or equipment. Affected products include SIMOTION D4xx, SINAMICS GH150, GL150, GM150, SL150 (multiple versions), and SM120, all with PROFINET interfaces and running firmware versions prior to the specified hotfixes or updates.

What this means

What could happen

An attacker could send crafted PROFINET packets to these variable frequency drives (VFDs) and soft starters to cause them to become unresponsive, which would stop the motor or compressor they control and disrupt production or critical processes.

Who's at risk

Utilities and industrial facilities using Siemens SINAMICS variable frequency drives (VFDs) and soft starters for motors, compressors, and pumps. Affected models include the GH150, GL150, GM150, SL150, SM120, and SM150i-2 with PROFINET connectivity. This impacts water treatment plants, wastewater systems, electric utilities, and any facility with Siemens medium-voltage or soft-starter equipment controlling critical motors.

How it could be exploited

An attacker with network access to the PROFINET interface sends malformed packets designed to trigger a buffer handling vulnerability in the firmware. The device crashes and stops responding to control commands, halting the connected equipment.

Prerequisites

Network access to PROFINET port (typically port 34962 or accessible via industrial switch)
No authentication required
Device must be reachable from the attacker's network segment

Remotely exploitable over PROFINETNo authentication requiredLow complexity attackCauses denial of service to critical equipmentAffects production and safety-critical processesMultiple product variants affected

Exploitability

Some exploitation risk — EPSS score 5.3%

Affected products (8)

8 with fix

ProductAffected VersionsFix Status

SIMOTION D4xx V4.4 for SINAMICS SM150i-2 w. PROFINET (incl. SIPLUS variants): All<V4.4 HF264.4 HF26

SINAMICS GH150 V4.7 w. PROFINET: All<V4.7 SP5 HF74.7 SP5 HF7 or upgrade to V4.8 SP2

SINAMICS GL150 V4.7 w. PROFINET: All<V4.8 SP24.8 SP2

SINAMICS GM150 V4.7 w. PROFINET: All<V4.7 HF314.7 HF31 or update to V4.8 SP2

SINAMICS SL150 V4.7.0 w. PROFINET: All<V4.7 HF304.7 HF30 or upgrade to V4.8 SP2

SINAMICS SL150 V4.7.4 w. PROFINET: All<V4.8 SP24.8 SP2

SINAMICS SL150 V4.7.5 w. PROFINET: All<V4.8 SP24.8 SP2

SINAMICS SM120 V4.7 w. PROFINET: All<V4.8 SP24.8 SP2

Remediation & Mitigation

0/8

Do now

0/1

HARDENINGRestrict network access to PROFINET interfaces using industrial firewalls or network segmentation; only allow communication from authorized engineering workstations and control systems

Schedule — requires maintenance window

0/7

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SIMOTION D4xx to firmware version 4.4 HF26 or later

HOTFIXUpdate SINAMICS GH150 to firmware version 4.7 SP5 HF7 or later, or upgrade to version 4.8 SP2 or later

HOTFIXUpdate SINAMICS GL150 to firmware version 4.8 SP2 or later

HOTFIXUpdate SINAMICS GM150 to firmware version 4.7 HF31 or later, or upgrade to version 4.8 SP2 or later

HOTFIXUpdate SINAMICS SL150 (V4.7.0) to firmware version 4.7 HF30 or later, or upgrade to version 4.8 SP2 or later

HOTFIXUpdate SINAMICS SL150 (V4.7.4 and V4.7.5) to firmware version 4.8 SP2 or later

HOTFIXUpdate SINAMICS SM120 to firmware version 4.8 SP2 or later

CVEs (2)

CVE-2017-2680 CVE-2017-12741

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6d013a9f-faef-4e07-84d4-ec1d1f5625d9

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.