Siemens SIMATIC S7 (Update A)
Monitor5.3ICS-CERT ICSA-18-317-05Nov 13, 2018
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
SIMATIC S7-1200 and S7-1500 PLCs fail to properly validate input on port 102/TCP (S7 communication protocol), allowing a remote attacker to send a malformed packet that crashes the device. The issue is caused by improper handling of specific packet types (CWE-410: Insufficient Resource Validation). Affected devices become unresponsive and require manual restart. This impacts all S7-1200 firmware versions before 4.3 and all S7-1500 firmware versions before 2.6.
What this means
What could happen
An attacker with network access to port 102/TCP on affected S7-1200 or S7-1500 PLCs could cause a denial of service by crashing the device, interrupting process control and plant operations until manual recovery is performed.
Who's at risk
Water utilities and electric utilities operating Siemens SIMATIC S7-1200 or S7-1500 programmable logic controllers (PLCs) in SCADA systems, process automation, or any critical control function should be concerned. This affects both standard and SIPLUS (ruggedized) variants used in remote pump stations, treatment facilities, and distribution automation.
How it could be exploited
An attacker sends a specially crafted packet to port 102/TCP (the Siemens S7 communication protocol port) on an affected PLC. The device fails to properly validate or handle the malformed packet, triggering a crash. The PLC becomes unresponsive and must be manually restarted.
Prerequisites
- Network-accessible port 102/TCP on the affected S7-1200 or S7-1500 PLC
- No authentication required
remotely exploitableno authentication requiredlow complexityno patch available for S7-1200
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
SIMATIC S7-1200 CPU family (incl. SIPLUS variants): All<V4.3Version 4.3 or later
SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants): All<V2.6Version 2.6 or later
Remediation & Mitigation
0/6
Do now
0/1WORKAROUNDRestrict network access to port 102/TCP on all affected S7-1200 and S7-1500 devices using firewall rules
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXUpdate SIMATIC S7-1500 CPUs to firmware version 2.6 or later
HOTFIXUpdate SIMATIC S7-1200 CPUs to firmware version 4.3 or later
Long-term hardening
0/3HARDENINGApply cell-protection concept to isolate PLCs from untrusted networks
HARDENINGImplement defense-in-depth network segmentation to prevent direct access to control system devices from business networks
HARDENINGEnsure control system networks are not directly accessible from the Internet
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/ad21aa95-b898-4ac8-a722-fa78ee181fab