Siemens SIMATIC S7 (Update B)

Monitor5.3ICS-CERT ICSA-20-042-05Feb 11, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SIMATIC S7 CPU families are affected by a denial of service vulnerability in the integrated web server. A remote attacker can send a specially crafted HTTP request to port 80/TCP or 443/TCP to cause the web server to become unresponsive, disrupting device availability. The web server is disabled by default but can be optionally enabled for remote monitoring and configuration.

What this means

What could happen

An attacker could disable the web server on your S7 CPU, preventing remote monitoring and configuration of your process control system. If the web server is used for operational tasks, this would disrupt access to the device until it is manually restarted.

Who's at risk

This affects Siemens SIMATIC S7 CPU families used as the core controller in manufacturing, water treatment, and power systems. Specific impact depends on your CPU model: S7-1200, S7-300, S7-400, ET 200 distributed I/O controllers, and WinAC software-based controllers. Organizations running legacy S7-400 V6/V7 or WinAC RTX variants should note that no firmware patch is available from the vendor.

How it could be exploited

An attacker on the network sends a malformed HTTP request to the web server running on the CPU (port 80 or 443). The request causes the web server process to crash or hang, making the device unresponsive to web-based requests. If web access is used for operations, the plant operator loses remote visibility and control until the device is restarted.

Prerequisites

Network access to port 80/TCP or 443/TCP on the affected device
Web server must be enabled (disabled by default)
No authentication required

Remotely exploitableNo authentication requiredLow complexity attackAffects legacy/end-of-life hardware with no vendor fix availableWeb server enabled introduces unnecessary exposure

Exploitability

Low exploit probability (EPSS 0.6%)

Affected products (27)

23 with fix4 pending

ProductAffected VersionsFix Status

SIMATIC ET 200pro IM154-8 PN/DP CPU<V3.X.173.X.17

SIMATIC ET 200pro IM154-8F PN/DP CPU<V3.X.173.X.17

SIMATIC ET 200pro IM154-8FX PN/DP CPU<V3.X.173.X.17

SIMATIC ET 200S IM151-8 PN/DP CPU<V3.X.173.X.17

SIMATIC ET 200S IM151-8F PN/DP CPU<V3.X.173.X.17

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDDisable the integrated web server if not required for operations

WORKAROUNDRestrict access to ports 80/TCP and 443/TCP to trusted internal IP addresses and VPN users only using firewall rules

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate S7-1200 CPU family to firmware version 4.1 or later

HOTFIXUpdate S7-300 PN/DP CPU family and related ET200 CPUs to firmware version 3.X.17 or later

Long-term hardening

0/1

HARDENINGIsolate S7 CPU devices behind firewalls and do not expose them directly to the Internet

CVEs (1)

CVE-2019-13940

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/fda55160-09bf-4f63-b03b-746277947036