Siemens OpenSSL Vulnerability in Industrial Products (Update E)

Act Now5.9ICS-CERT ICSA-18-226-02Aug 7, 2018

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Multiple Siemens industrial products contain a vulnerability in OpenSSL that allows encrypted data to be sent unencrypted by the SSL/TLS record layer (CWE-319: Cleartext Transmission of Sensitive Information). This affects S7-1200 and S7-1500 PLCs, MindConnect edge devices, engineering software (STEP 7, WinCC), and SCADA/HMI platforms. An attacker with network access could intercept communications and obtain sensitive data that should be encrypted in transit, including production parameters, passwords, and engineering commands.

What this means

What could happen

An attacker who can reach your network could intercept unencrypted data from your PLC or engineering workstation, exposing sensitive production configuration and potentially credentials, if TLS traffic is downgraded by the OpenSSL flaw.

Who's at risk

Manufacturing facilities using Siemens PLCs (S7-1200, S7-1500), edge controllers (MindConnect IoT2040, ET 200SP), engineering workstations (STEP 7 TIA Portal, WinCC HMI), and SCADA software (WinCC OA) are affected. The vulnerability impacts both production devices and engineering/diagnostics infrastructure.

How it could be exploited

An attacker on your network would exploit the OpenSSL vulnerability to force unencrypted communication (CWE-319) when the device initiates an SSL/TLS connection. This bypasses encryption on sensitive data like engineering commands, passwords, or process data that should be protected in transit.

Prerequisites

Network access to the affected device on port 443 or other TLS-protected port
Device must initiate an outbound or inbound SSL/TLS connection
Device must be running vulnerable OpenSSL version in the affected firmware/software

Remotely exploitableNo authentication required for network-level attackHigh EPSS score (58%)Affects confidentiality of sensitive control system communicationsImpacts both control devices and engineering/HMI workstationsOne product line (SINUMERIK Integrate Operate Client) has no fix available

Exploitability

High exploit probability (EPSS 58.0%)

Affected products (20)

19 with fix1 pending

ProductAffected VersionsFix Status

MindConnect IoT2040<V03.0103.01

MindConnect Nano (IPC227D)<V03.0103.01

SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl. SIPLUS variants)≥ V2.0 <V2.1.62.1.6

SIMATIC HMI WinCC Flexible<V15.115.1

SIMATIC IPC DiagBase<V2.1.1.02.1.1.0

Remediation & Mitigation

0/24

Do now

0/2

WORKAROUNDDisable the web server on SIMATIC S7-1200 if not required for operations, or restrict web server access to specific Ethernet/PROFINET interfaces via device configuration

HARDENINGRestrict network access to affected devices using firewall rules; do not expose control system devices to the Internet

Schedule — requires maintenance window

0/20

Patching may require device reboot — plan for process interruption

Long-term hardening

0/2

HARDENINGIsolate control system networks from business networks with proper network segmentation and firewalls

HARDENINGIf remote access is required, use VPN with current patches and keep VPN systems updated

CVEs (1)

CVE-2017-3737

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close