Siemens SIMATIC S7-300 CPUs and SINUMERIK Controller over Profinet (Update A)

Plan PatchCVSS 7.5ICS-CERT ICSA-20-070-02Mar 10, 2020

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple Siemens automation controllers are vulnerable to a denial-of-service attack via the PROFINET Engineering protocol (port 102/TCP). The vulnerability exists in SIMATIC S7-300 CPU family (all versions before 3.X.17), SIMATIC TDC CP51M1 (before v1.1.8), SIMATIC TDC CPU555 (before v1.1.1), and SINUMERIK 840D sl controllers (before v4.8.6 and v4.94 respectively). An attacker with network access to port 102 can send a malformed packet that causes the CPU to become unresponsive, preventing legitimate engineering communications and process control. No known public exploit exists; Siemens has released firmware updates for all affected products.

What this means

What could happen

An attacker who reaches port 102/TCP on these controllers over the plant network can cause a denial of service condition, stopping the PLC from responding to legitimate engineering commands and potentially halting industrial processes.

Who's at risk

Water treatment facilities, municipal electric utilities, and any organization using Siemens SIMATIC S7-300 PLCs, SIMATIC TDC controllers, or SINUMERIK CNC controllers for process automation should review this advisory. The SIMATIC S7-300 is particularly common in water and wastewater applications for pump control, flow measurement, and tank level management.

How it could be exploited

An attacker with network access to port 102/TCP (the PROFINET Engineering protocol port) can send a specially crafted packet that exhausts the CPU's resources, causing it to become unresponsive. This requires the attacker to be on or able to route to the plant network, but no authentication or interaction with plant staff is needed.

Prerequisites

Network access to port 102/TCP (PROFINET Engineering) on the controller
Ability to send crafted packets to the affected device (network routing path must exist)

remotely exploitableno authentication requiredlow complexityaffects production control systemsno patch urgency (not actively exploited but high CVSS)

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (5)

5 with fix

ProductAffected VersionsFix Status

SIMATIC S7-300 CPU family (incl.'related ET200 CPUs and SIPLUS variants): All<V3.X.173.X.17

SIMATIC TDC CP51M1: All<V1.1.81.1.8

SIMATIC TDC CPU555: All<V1.1.11.1.1

SINUMERIK 840D sl: All<V4.8.64.8.6

SINUMERIK 840D sl: All<V4.944.94

Remediation & Mitigation

0/8

Do now

0/1

WORKAROUNDRestrict access to port 102/TCP with a firewall rule, blocking external and non-engineering traffic

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SIMATIC S7-300 CPU family to firmware version 3.X.17 or later

HOTFIXUpdate SIMATIC TDC CP51M1 to firmware version 1.1.8 or later

HOTFIXUpdate SIMATIC TDC CPU555 to firmware version 1.1.1 or later

HOTFIXUpdate SINUMERIK 840D sl to firmware version 4.8.6 or later

HOTFIXUpdate SINUMERIK 840D sl to firmware version 4.94 or later

Long-term hardening

0/2

HARDENINGSegment control system networks from the business network with firewalls; do not expose controllers to the Internet

HARDENINGUse VPN or other secure remote access mechanisms if remote engineering work is required

CVEs (1)

CVE-2019-18336

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/dd73547e-55df-4a50-88fc-ddf769540507

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.