Siemens SIMATIC S7-300 CPUs and SINUMERIK Controller over Profinet (Update A)
Plan Patch7.5ICS-CERT ICSA-20-070-02Mar 10, 2020
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Multiple Siemens automation controllers are vulnerable to a denial-of-service attack via the PROFINET Engineering protocol (port 102/TCP). The vulnerability exists in SIMATIC S7-300 CPU family (all versions before 3.X.17), SIMATIC TDC CP51M1 (before v1.1.8), SIMATIC TDC CPU555 (before v1.1.1), and SINUMERIK 840D sl controllers (before v4.8.6 and v4.94 respectively). An attacker with network access to port 102 can send a malformed packet that causes the CPU to become unresponsive, preventing legitimate engineering communications and process control. No known public exploit exists; Siemens has released firmware updates for all affected products.
What this means
What could happen
An attacker who reaches port 102/TCP on these controllers over the plant network can cause a denial of service condition, stopping the PLC from responding to legitimate engineering commands and potentially halting industrial processes.
Who's at risk
Water treatment facilities, municipal electric utilities, and any organization using Siemens SIMATIC S7-300 PLCs, SIMATIC TDC controllers, or SINUMERIK CNC controllers for process automation should review this advisory. The SIMATIC S7-300 is particularly common in water and wastewater applications for pump control, flow measurement, and tank level management.
How it could be exploited
An attacker with network access to port 102/TCP (the PROFINET Engineering protocol port) can send a specially crafted packet that exhausts the CPU's resources, causing it to become unresponsive. This requires the attacker to be on or able to route to the plant network, but no authentication or interaction with plant staff is needed.
Prerequisites
- Network access to port 102/TCP (PROFINET Engineering) on the controller
- Ability to send crafted packets to the affected device (network routing path must exist)
remotely exploitableno authentication requiredlow complexityaffects production control systemsno patch urgency (not actively exploited but high CVSS)
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (5)
5 with fix
ProductAffected VersionsFix Status
SIMATIC S7-300 CPU family (incl.'related ET200 CPUs and SIPLUS variants): All<V3.X.173.X.17
SIMATIC TDC CP51M1: All<V1.1.81.1.8
SIMATIC TDC CPU555: All<V1.1.11.1.1
SINUMERIK 840D sl: All<V4.8.64.8.6
SINUMERIK 840D sl: All<V4.944.94
Remediation & Mitigation
0/8
Do now
0/1WORKAROUNDRestrict access to port 102/TCP with a firewall rule, blocking external and non-engineering traffic
Schedule — requires maintenance window
0/5Patching may require device reboot — plan for process interruption
HOTFIXUpdate SIMATIC S7-300 CPU family to firmware version 3.X.17 or later
HOTFIXUpdate SIMATIC TDC CP51M1 to firmware version 1.1.8 or later
HOTFIXUpdate SIMATIC TDC CPU555 to firmware version 1.1.1 or later
HOTFIXUpdate SINUMERIK 840D sl to firmware version 4.8.6 or later
HOTFIXUpdate SINUMERIK 840D sl to firmware version 4.94 or later
Long-term hardening
0/2HARDENINGSegment control system networks from the business network with firewalls; do not expose controllers to the Internet
HARDENINGUse VPN or other secure remote access mechanisms if remote engineering work is required
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/dd73547e-55df-4a50-88fc-ddf769540507