Siemens SIMATIC S7-1500 (Update A)

Plan PatchCVSS 7.5ICS-CERT ICSA-20-042-11Feb 11, 2020

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A resource exhaustion vulnerability (CWE-400) exists in Siemens SIMATIC S7-1500 CPU family and related controllers. The vulnerability allows a remote attacker to send specially crafted S7 communication protocol requests that cause the affected CPU to consume excessive resources, resulting in denial of service. This affects SIMATIC S7-1500 CPU family (firmware v2.5 through v2.7), SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (v2.5 through v20.7), and SIMATIC S7-1500 Software Controller (v2.5 through v20.7). No public exploits are currently known, though the vulnerability has been assigned a CVSS score of 7.5 (high severity).

What this means

What could happen

A remote attacker with network access can cause a denial of service by exhausting resources on the affected Siemens SIMATIC S7-1500 CPU, potentially disrupting continuous operation of critical industrial processes like water treatment or power generation.

Who's at risk

Water authorities and municipal electric utilities operating Siemens SIMATIC S7-1500 CPU controllers, ET200SP Open Controller CPU 1515SP PC2, or S7-1500 Software Controller for SCADA or process automation should be concerned. Any facility using these controllers for real-time process management (treatment plants, distribution systems, generation facilities) is at risk of operational disruption.

How it could be exploited

An attacker on the network sends specially crafted requests to the affected CPU (port 102 for S7 communication protocol) without requiring any credentials. The device processes these requests inefficiently, exhausting CPU resources and causing the controller to become unresponsive to legitimate process control commands.

Prerequisites

Network reachability to port 102 (S7 communication protocol)
Device running vulnerable firmware version (S7-1500 CPU v2.5 to v2.7, ET200SP Open Controller v2.5 to v20.7, or Software Controller v2.5 to v20.7)
No authentication required

remotely exploitableno authentication requiredlow complexityaffects industrial automation and safety-critical operationscauses denial of service on critical control devices

Exploitability

Unlikely to be exploited — EPSS score 0.6%

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants): All≥ V2.5 and <V20.820.8 (V2x.8 corresponds to V2.8 of the S7-1500 CPU firmware)

SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants): All≥ V2.5 and <V2.82.8

SIMATIC S7-1500 Software Controller: All≥ V2.5 and <V20.820.8 (V2x.8 corresponds to V2.8 of the S7-1500 CPU firmware)

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDRestrict network access to affected CPUs using firewall rules to only allow S7 communication from authorized engineering workstations and trusted systems

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SIMATIC S7-1500 CPU family to firmware version 2.8 or later

HOTFIXUpdate SIMATIC ET 200SP Open Controller CPU 1515SP PC2 to firmware version 20.8 or later

HOTFIXUpdate SIMATIC S7-1500 Software Controller to version 20.8 or later

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate the S7-1500 control network from untrusted networks and limit access to port 102

CVEs (1)

CVE-2019-19281

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9bcd6766-4864-47e7-ade8-a2c84261cc41

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.