OTPulse
FeedAboutContact

Siemens SIMATIC S7-300 CPUs and SINUMERIK Controller (Update A)

Monitor5.9ICS-CERT ICSA-20-315-04Nov 10, 2020
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary

A vulnerability in SIMATIC S7-300 CPUs, TDC CPU555, and SINUMERIK 840D controllers allows denial-of-service via specially crafted packets sent to port 102 (ISO-TSAP). No firmware updates are available from the vendor. The attack requires only network reachability to port 102 and no credentials.

What this means
What could happen
An attacker on the network can crash a SIMATIC S7-300 or SINUMERIK 840D controller by sending malicious packets to port 102, stopping your production processes until the device restarts.
Who's at risk
Water treatment and distribution systems, municipal power plants, and discrete manufacturing facilities using Siemens SIMATIC S7-300 programmable logic controllers (PLCs), TDC CPU555 controllers, or SINUMERIK CNC controllers are affected. This includes any facility relying on these devices for process automation or control.
How it could be exploited
An attacker sends specially crafted packets to port 102 (ISO-TSAP) on a reachable S7-300 CPU or SINUMERIK controller. The device crashes due to improper input validation, requiring manual restart to restore production.
Prerequisites
  • Network access to port 102 (ISO-TSAP) on affected devices
  • No authentication required
remotely exploitableno authentication requiredlow complexityno patch availablecauses denial of service to critical control systems
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (3)
3 EOL
ProductAffected VersionsFix Status
SIMATIC S7-300 CPU family (incl. related ET200 CPUs and SIPLUS variants)All versionsNo fix (EOL)
SIMATIC TDC CPU555All versionsNo fix (EOL)
SINUMERIK 840D slAll versionsNo fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDRestrict network access to port 102 (ISO-TSAP) on S7-300 CPUs and SINUMERIK 840D controllers using firewall rules or access control lists to only trusted engineering workstations and HMI systems
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor for unexpected restarts or crashes on S7-300 and SINUMERIK devices as an indicator of exploitation attempts
Mitigations - no patch available
0/2
The following products have reached End of Life with no planned fix: SIMATIC S7-300 CPU family (incl. related ET200 CPUs and SIPLUS variants), SIMATIC TDC CPU555, SINUMERIK 840D sl. Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate S7-300 and SINUMERIK controllers on a separate VLAN with restricted access from corporate or less-trusted networks
HARDENINGConfigure the industrial network according to Siemens operational guidelines for Industrial Security to establish a protected IT environment
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/1f0eadcd-0027-4b52-bb6e-079f697fc5c4
Siemens SIMATIC S7-300 CPUs and SINUMERIK Controller (Update A) | CVSS 5.9 - OTPulse