Siemens S7-400 CPUs (Update B)
Plan Patch8.2ICS-CERT ICSA-18-317-02Nov 13, 2018
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Two input validation vulnerabilities (CWE-20, CWE-347) exist in the SIMATIC S7-400 CPU family. An attacker with network access to port 102/TCP via Ethernet, PROFIBUS, or MPI can send malformed packets that cause the CPU to enter a fault state, resulting in denial of service. The vulnerabilities affect a wide range of S7-400 CPU models and firmware versions. Siemens has released firmware patches for select PN/DP and H variants, but the majority of S7-400 models (DP-only, older H versions, and PN/DP V6) have no planned fix. Siemens recommends network access restrictions, protection level configuration, and defense-in-depth strategies for devices where firmware updates are not available.
What this means
What could happen
An attacker with network access to port 102 could send specially crafted packets to crash a Siemens S7-400 CPU, stopping all associated control processes until the PLC is manually restarted.
Who's at risk
Water authorities and utilities operating Siemens SIMATIC S7-400 CPUs (models 412, 414, 416, 417) for process automation should care about this issue. S7-400 CPUs are commonly used in SCADA systems, distributed control systems, and safety-critical process control (especially the S7-400 H and S7-400 F variants for redundant and failsafe applications). The vulnerability affects both DP (PROFIBUS) and PN (Profinet) network variants.
How it could be exploited
An attacker on the same network segment (or with routing to the control network) sends malformed requests to port 102/TCP, PROFIBUS, or MPI interfaces on the S7-400 CPU. The CPU does not properly validate the incoming data, causing it to enter a fault state and cease executing the automation program.
Prerequisites
- Network access to port 102/TCP on the affected S7-400 CPU, or direct access to PROFIBUS or MPI interfaces
- No authentication required
- Device must be running a vulnerable firmware version
remotely exploitable via port 102/TCPno authentication requiredlow complexity attackno patch available for majority of affected modelsaffects safety-critical variants (S7-400 H, S7-400 F)
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (21)
9 with fix12 EOL
ProductAffected VersionsFix Status
SIMATIC S7-400 CPU 414-3 PN/DP V7< V7.0.37.0.3
SIMATIC S7-400 CPU 414F-3 PN/DP V7< V7.0.37.0.3
SIMATIC S7-400 CPU 416-3 PN/DP V7< V7.0.37.0.3
SIMATIC S7-400 CPU 416F-3 PN/DP V7< V7.0.37.0.3
SIMATIC S7-400 CPU 412-2 PN V7< V7.0.37.0.3
Remediation & Mitigation
0/8
Do now
0/3WORKAROUNDFor S7-410 CPUs, activate field interface security in PCS 7 v9.0 and use SIMATIC CP443-1 Adv. for ES/OS communication
WORKAROUNDConfigure protection Level 3 (read/write protection) on affected S7-400 CPUs to mitigate the vulnerability
HARDENINGRestrict network access to port 102/TCP on Ethernet interfaces of affected S7-400 CPUs using firewall rules or network segmentation
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
SIMATIC S7-400 CPU 414-3 PN/DP V7
HOTFIXUpdate affected SIMATIC S7-400 CPU 414-3 PN/DP V7, CPU 414F-3 PN/DP V7, CPU 416-3 PN/DP V7, CPU 416F-3 PN/DP V7, CPU 412-2 PN V7, and SIPLUS variants to firmware version 7.0.3 or later
All products
HOTFIXUpdate SIMATIC S7-400 H V6 CPU family to firmware version 6.0.9 or later
HOTFIXUpdate SIMATIC S7-410 CPU family to firmware version 8.2.1 or later
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: SIMATIC S7-400 CPU 412-1 DP V7, SIMATIC S7-400 CPU 412-2 DP V7, SIMATIC S7-400 CPU 414-2 DP V7, SIMATIC S7-400 CPU 414-3 DP V7, SIMATIC S7-400 CPU 416-2 DP V7, SIMATIC S7-400 CPU 416-3 DP V7, SIMATIC S7-400 CPU 416F-2 DP V7, SIMATIC S7-400 CPU 417-4 DP V7, SIMATIC S7-400 H V4.5 and below CPU family (incl. SIPLUS variants), SIMATIC S7-400 PN/DP V6 and below CPU family (incl. SIPLUS variants), SIPLUS S7-400 CPU 416-3 V7, SIPLUS S7-400 CPU 417-4 V7. Apply the following compensating controls:
HARDENINGRestrict network access to PROFIBUS and MPI interfaces on affected devices to authorized engineering and service connections only
HARDENINGIsolate all S7-400 CPU devices from the business network and position behind firewalls; ensure they are not accessible from the Internet
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/b85f6ffa-4df8-4c3b-9e00-bd2c5f2313ac