Siemens SIMATIC, SIMOCODE, SINAMICS, SITOP, and TIM (Update I)

Plan Patch7.5ICS-CERT ICSA-19-099-06Apr 9, 2019

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A denial of service vulnerability exists in the webserver component of multiple Siemens industrial control devices. An attacker with network access to the webserver can cause the device to become unresponsive, disrupting operations. The vulnerability stems from an out-of-bounds read (CWE-125) in webserver processing logic.

What this means

What could happen

An attacker could make a PLC, drive controller, HMI panel, or I/O module stop responding to commands over the network, halting automated processes until the device is rebooted. This affects all SIMATIC CPUs, SINAMICS motor controllers, and field devices that expose their webserver to the network.

Who's at risk

Manufacturing plants using Siemens SIMATIC PLCs (S7-300, S7-400, S7-1500 families), SINAMICS motor drive controllers (G130, G150, S120, S150, S210), SIMATIC I/O modules (ET 200 series), SIMATIC communication modules (CP series), SIMATIC HMI touch panels, SITOP power supplies with management interfaces, and field-mounted RFID readers. Any facility with these devices exposed on a network segment accessible to an attacker is at risk.

How it could be exploited

An attacker sends a specially crafted network request to the webserver port of a vulnerable device. The webserver processes the request and reads memory outside its intended bounds, causing a crash or hang. The attacker does not need credentials or authentication, only network reachability to the device's webserver port (typically port 80 or 443).

Prerequisites

Network access to the webserver port of the affected device (typically port 80 or 443)
The webserver must be enabled (default state for most products)
No authentication required

Remotely exploitable over networkNo authentication requiredLow complexity attackAffects availability (denial of service)Many products have no fix availableMany products in long-term support or end-of-life stage

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (85)

61 with fix24 pending

ProductAffected VersionsFix Status

SIMATIC CP 1604 (6GK1160-4AA01)All versionsNo fix yet

SIMATIC CP 1616 (6GK1161-6AA02)All versionsNo fix yet

SIMATIC CP 343-1 AdvancedAll versionsNo fix yet

SIMATIC CP 443-1<V3.33.3

SIMATIC CP 443-1 Advanced<V3.33.3

Remediation & Mitigation

Siemens recommends upgrading to the following firmware updates for the products below: SIMATIC ET 200 SP Open Controller CPU 1515SP PC (incl. SIPLUS variants): Update to v2.1.6 SIMATIC ET 200 SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants): Update to v2.7 SIMATIC HMI Comfort Outdoor Panels 7" & 15" (incl. SIPLUS variants): Update to v15.1 Upd4 SIMATIC HMI Comfort Panels 4" - 22" (incl. SIPLUS variants): Update to v15.1 Upd4 SIMATIC HMI KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900 and KTP900F (incl. SIPLUS variants): Update to v15.1 Upd4 SIMATIC IPC DiagMonitor: Update to v5.1.3 SIMATIC RF185C, RF186C, and RF188C: Update to v1.1.0 SIMATIC RF600R: Update to v3.2.1 SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants): Update to v2.6.1 SIMATIC S7-1500 Software Controller: Update to v2.7 SIMATIC S7-300 CPU family (incl. related ET200 CPUs and SIPLUS variants): Update to v3.X.16 SIMATIC S7-PLCSIM Advanced: Update to v2.0 SP1 Upd1 SIMATIC WinAC RTX (F) 2010: Update to SP3 and apply BIOS and MS Windows updates SIMATIC WinCC Runtime Advanced: Update to v15.1 Upd4 SIMOCODE pro VPN (incl. SIPLUS variants): Update to v2.1.3 --------- Begin Update I Part 2 of 2 --------- SIMOCODE pro V EIP (incl. SIPLUS variants): Update to v1.1.3 --------- End Update I Part 2 of 2 --------- SINAMICS G130 v5.1 Control Unit: Update to v5.1 SP1 HF4 or later version, or to latest version ofv5.2 SINAMICS G130 v5.1 SP1 Control Unit: Update to v5.1 SP1 HF4 or later version SINAMICS G150 v5.1 Control Unit: Update to v5.1 SP1 HF4 or later version, or to latest version ofv5.2 SINAMICS G150 v5.1 SP1Control Unit: Update to v5.1 SP1 HF4 or later version SINAMICS S120 v5.1 Control Unit (incl. SIPLUS variants): Update to v5.1 SP1 HF4 or later version, or to latest version ofv5.2 SINAMICS S120 v5.1 SP1 Control Unit(incl. SIPLUS variants): Update to v5.1 SP1 HF4 or later version SINAMICS S150 v5.1 Control Unit: Update to v5.1 SP1 HF4 or later version, or to latest version ofv5.2 SINAMICS S150 v5.1 SP1 Control Unit: Update to v5.1 SP1 HF4 or later version SINAMICS G130 v4.6, v4.7, and v4.7 SP1: Update to v5.2 (latest version) SINAMICS G130 v4.8: Update to v4.8 HF6 SINAMICS G150 v4.6 and v4.7 SP1: Update to v5.2 (latest version) SINAMICS G150 v4.8: Update to v4.8 HF6 SINAMICS S120 v4.6 and v4.7 SP1 (incl. SIPLUS variants): Update to v5.2 (latest version) SINAMICS S120 v4.8 (incl. SIPLUS variants): Update to v4.8 HF6 SINAMICS S150 v4.6 and v4.7 SP1: Update to v5.2 (latest version) SINAMICS S150 v4.8: Update to v4.8 HF6 SITOP Manager: Update to v1.1 SITOP PSU8600: Update to v1.5 SITOP UPS1600 (incl. SIPLUS variants): Update to v2.3 TIM 1531 IRC (incl. SIPLUS NET variants): Update to v2.1 For all other affected products, Siemens has identified the following specific workarounds and mitigations users can apply to reduce the risk: Apply appropriate strategies for mitigation as described in the general security recommendation section. Restrict network access to the integrated webserver. Deactivate the webserver if not required and if deactivation is supported by the product. For SINAMICS S, G130, G150 devices: perform upgrade to a new fixed version, for example v5.2. As a general security measure, Siemens strongly recommends users protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends users configure the environment according to Siemens’ operational guidelines for Industrial Security, and follow the recommendations in the product manuals. Additional information on industrial security by Siemens can be found at: https://www.siemens.com/industrialsecurity For more information on the vulnerability and more detailed mitigation instructions, please see Siemens Security Advisory SSA-480230 CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should: Minimize network exposure

CVEs (1)

CVE-2019-6568

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/621a4228-36ec-4786-ad13-9ac74d4c019b