Siemens SIMATIC Panels and WinCC (TIA Portal)

Plan Patch7.5ICS-CERT ICSA-19-134-09Apr 9, 2019

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

An improper error handling vulnerability exists in the OPC UA server component of several Siemens SIMATIC industrial automation products. The vulnerability allows a remote attacker to send specially crafted requests that trigger a denial of service condition, causing the OPC UA service or the affected device to become unavailable. This disrupts communication between HMI panels, programmable logic controllers (PLCs), and engineering workstations, potentially halting automated processes. Affected products include SIMATIC HMI Comfort and KTP Mobile Panels, SIMATIC CPU controllers (ET 200SP, S7-1500 family), SIMATIC WinCC OA and Runtime Advanced, SIMATIC NET PC Software, SIMATIC IPC DiagMonitor, SIMATIC RF devices, SINEC NMS, SINEMA Server, SINUMERIK OPC UA Server, and TeleControl Server Basic. Some products including SIMATIC CP 443-1 OPC UA, SIMATIC NET PC Software V13 and V15 have no fix available from the vendor.

What this means

What could happen

An attacker can cause the OPC UA service to become unavailable by sending specially crafted requests, disrupting communication between HMI panels, controllers, and engineering workstations and potentially halting automated processes that depend on real-time data exchange.

Who's at risk

Manufacturing and process control organizations using Siemens SIMATIC products should care about this vulnerability. It affects HMI (human-machine interface) panels that operators use to monitor and control processes, programmable logic controllers (PLCs and CPUs) that execute control logic, software supervisory control systems, and OPC UA servers that enable communication between engineering workstations, control devices, and monitoring systems. Any facility relying on these devices for real-time process control is at risk.

How it could be exploited

An attacker with network access to the OPC UA server port (typically 4840) can send a malformed request that triggers improper error handling in the OPC UA implementation, causing the service to crash or become unresponsive. No credentials or user interaction are required.

Prerequisites

Network access to OPC UA server port (typically port 4840)
Target device must be running an affected version of the OPC UA server component

remotely exploitableno authentication requiredlow complexityaffects industrial automation systemscauses denial of service to critical control communication

Exploitability

Moderate exploit probability (EPSS 1.1%)

Affected products (19)

16 with fix3 pending

ProductAffected VersionsFix Status

SIMATIC CP 443-1 OPC UAAll versionsNo fix yet

SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants)<V2.72.7

SIMATIC HMI Comfort Outdoor Panels 7" & 15" (incl. SIPLUS variants)<V15.1 Upd 415.1 Upd4

SIMATIC HMI Comfort Panels 4" - 22" (incl. SIPLUS variants)<V15.1 Upd 415.1 Upd4

SIMATIC HMI KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900 and KTP900F<V15.1 Upd 415.1 Upd4

Remediation & Mitigation

0/20

Do now

0/2

WORKAROUNDRestrict network access to the web interface of affected devices using firewall rules

WORKAROUNDRestrict access to Port 161/UDP to only trusted devices and administrative networks

Schedule — requires maintenance window

0/16

Patching may require device reboot — plan for process interruption

Long-term hardening

0/2

HARDENINGIsolate control system networks behind firewalls and separate from business network

HARDENINGMinimize network exposure of affected devices and ensure they are not directly accessible from the Internet

CVEs (1)

CVE-2019-6575

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close