Siemens SIMATIC S7-1500 (Update A)
Plan Patch7.5ICS-CERT ICSA-20-042-11Feb 11, 2020
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A resource exhaustion vulnerability (CWE-400) exists in Siemens SIMATIC S7-1500 CPU family and related controllers. The vulnerability allows a remote attacker to send specially crafted S7 communication protocol requests that cause the affected CPU to consume excessive resources, resulting in denial of service. This affects SIMATIC S7-1500 CPU family (firmware v2.5 through v2.7), SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (v2.5 through v20.7), and SIMATIC S7-1500 Software Controller (v2.5 through v20.7). No public exploits are currently known, though the vulnerability has been assigned a CVSS score of 7.5 (high severity).
What this means
What could happen
A remote attacker with network access can cause a denial of service by exhausting resources on the affected Siemens SIMATIC S7-1500 CPU, potentially disrupting continuous operation of critical industrial processes like water treatment or power generation.
Who's at risk
Water authorities and municipal electric utilities operating Siemens SIMATIC S7-1500 CPU controllers, ET200SP Open Controller CPU 1515SP PC2, or S7-1500 Software Controller for SCADA or process automation should be concerned. Any facility using these controllers for real-time process management (treatment plants, distribution systems, generation facilities) is at risk of operational disruption.
How it could be exploited
An attacker on the network sends specially crafted requests to the affected CPU (port 102 for S7 communication protocol) without requiring any credentials. The device processes these requests inefficiently, exhausting CPU resources and causing the controller to become unresponsive to legitimate process control commands.
Prerequisites
- Network reachability to port 102 (S7 communication protocol)
- Device running vulnerable firmware version (S7-1500 CPU v2.5 to v2.7, ET200SP Open Controller v2.5 to v20.7, or Software Controller v2.5 to v20.7)
- No authentication required
remotely exploitableno authentication requiredlow complexityaffects industrial automation and safety-critical operationscauses denial of service on critical control devices
Exploitability
Low exploit probability (EPSS 0.6%)
Affected products (3)
3 with fix
ProductAffected VersionsFix Status
SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants): All≥ V2.5 and <V20.820.8 (V2x.8 corresponds to V2.8 of the S7-1500 CPU firmware)
SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants): All≥ V2.5 and <V2.82.8
SIMATIC S7-1500 Software Controller: All≥ V2.5 and <V20.820.8 (V2x.8 corresponds to V2.8 of the S7-1500 CPU firmware)
Remediation & Mitigation
0/5
Do now
0/1WORKAROUNDRestrict network access to affected CPUs using firewall rules to only allow S7 communication from authorized engineering workstations and trusted systems
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
HOTFIXUpdate SIMATIC S7-1500 CPU family to firmware version 2.8 or later
HOTFIXUpdate SIMATIC ET 200SP Open Controller CPU 1515SP PC2 to firmware version 20.8 or later
HOTFIXUpdate SIMATIC S7-1500 Software Controller to version 20.8 or later
Long-term hardening
0/1HARDENINGImplement network segmentation to isolate the S7-1500 control network from untrusted networks and limit access to port 102
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/9bcd6766-4864-47e7-ade8-a2c84261cc41