Siemens SIMATIC S7-300 and S7-400 CPUs (Update C)
Monitor5.9ICS-CERT ICSA-20-252-02Sep 8, 2020
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
SIMATIC S7-300 and S7-400 CPUs, WinAC RTX (F) 2010, and SINUMERIK 840D sl are vulnerable to credential disclosure. The vulnerability exists in all versions of these products and allows an attacker with network access to extract sensitive authentication credentials from the devices. Siemens has not issued patches for any affected product line.
What this means
What could happen
An attacker who gains network access to an affected Siemens PLC or CNC controller could extract engineering or administrative credentials, which could then be used to modify program logic, alter process setpoints, or shut down production.
Who's at risk
Water and power utilities, manufacturing plants, and any facility operating Siemens SIMATIC S7-300 or S7-400 PLCs should assess their exposure. ET200 distributed I/O devices and SINUMERIK CNC controllers used in industrial automation are also affected. Facilities with older legacy equipment or SIPLUS hardened variants in hazardous or safety-critical applications are particularly vulnerable.
How it could be exploited
An attacker sends a specially crafted network request to the affected CPU over port 102 (Siemens S7 protocol). The device responds with authentication credentials stored in memory or configuration, which the attacker can extract and use to authenticate as an engineer or administrator on the same or other devices on the network.
Prerequisites
- Network access to the PLC/CPU on port 102 (Siemens S7 protocol)
- No authentication required to trigger credential disclosure
remotely exploitableno authentication requiredno patch availableaffects critical control logic (PLCs and CNC controllers)
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (4)
4 EOL
ProductAffected VersionsFix Status
SIMATIC S7-400 CPU family (incl. SIPLUS variants): All versionsAll versionsNo fix (EOL)
SIMATIC WinAC RTX (F) 2010: All versionsAll versionsNo fix (EOL)
SINUMERIK 840D sl: All versionsAll versionsNo fix (EOL)
SIMATIC S7-300 CPU family (incl. related ET200 CPUs and SIPLUS variants): All versionsAll versionsNo fix (EOL)
Remediation & Mitigation
0/6
Do now
0/3HARDENINGImplement network segmentation to restrict access to affected Siemens CPUs and controllers. Isolate the OT network from corporate IT and the internet using firewalls and air-gapping where possible.
WORKAROUNDDeploy firewall rules to restrict network access to Siemens S7 protocol ports (port 102 and related management ports) to authorized engineering workstations and HMI systems only.
WORKAROUNDDisable or restrict remote access capabilities on affected CPUs and controllers, such as S7-300/400 Ethernet modules, unless absolutely required for operations.
Mitigations - no patch available
0/3The following products have reached End of Life with no planned fix: SIMATIC S7-400 CPU family (incl. SIPLUS variants): All versions, SIMATIC WinAC RTX (F) 2010: All versions, SINUMERIK 840D sl: All versions, SIMATIC S7-300 CPU family (incl. related ET200 CPUs and SIPLUS variants): All versions. Apply the following compensating controls:
HARDENINGFollow Siemens operational security guidelines (IEC 62443) for Industrial Security. Configure devices according to product manuals, including review of default credentials and access control settings.
HARDENINGMonitor network traffic to affected CPUs for unauthorized access attempts or suspicious communication patterns.
HARDENINGPlan migration to newer Siemens controller platforms (S7-1200, S7-1500) which may have improved security. Document all legacy S7-300/400 installations and prioritize systems in safety-critical applications or directly connected to external networks.
CVEs (1)
โโ Navigate ยท Esc Close
API:
/api/v1/advisories/b955b785-3d00-44e2-95f8-1dfb54a505d4