OTPulse
FeedAboutContact

Siemens SIMATIC S7-1200 and S7-1500 CPU Families (Update A)

Plan Patch8.1ICS-CERT ICSA-21-152-01May 28, 2021
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary

SIMATIC S7-1200 and S7-1500 CPU families contain a memory protection bypass vulnerability (CWE-119) that could allow an attacker to write arbitrary data and code to protected memory areas or read sensitive data. The vulnerability affects the SIMATIC Drive Controller family, SIMATIC S7-1200 CPU family, SIMATIC S7-1500 CPU family, SIMATIC ET 200SP Open Controller CPU 1515SP PC2, SIMATIC S7-1500 Software Controller, and SIMATIC S7-PLCSIM Advanced. The attack has high complexity and requires network access to the PLC. Siemens has released firmware updates for most products, though SIMATIC ET 200SP Open Controller CPU 1515SP PC (non-PC2 variant) has no fix available.

What this means
What could happen
An attacker could bypass memory protection on SIMATIC S7-1200 and S7-1500 CPUs to read sensitive data or write arbitrary code to protected memory, potentially allowing them to alter process logic, change setpoints, or disable safety functions.
Who's at risk
Manufacturing facilities using Siemens SIMATIC S7-1200 or S7-1500 CPUs, SIMATIC Drive Controllers, SIMATIC ET 200SP Open Controllers, and related variants. This affects both the industrial CPUs themselves and software controllers used in process automation systems for control and monitoring.
How it could be exploited
An attacker with network access to the PLC could craft a specially designed S7 communication packet that exploits the memory protection bypass. This allows writing data to protected memory regions where control logic and safety parameters are stored, or reading sensitive data to facilitate further attacks.
Prerequisites
  • Network access to the PLC on port 102 (S7 communication)
  • S7 communication must be enabled on the target CPU
  • High attack complexity suggests specific knowledge of memory layout and protection mechanisms is required
remotely exploitablehigh attack complexitymemory protection bypassaffects critical control logic
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (7)
6 with fix1 EOL
ProductAffected VersionsFix Status
SIMATIC Drive Controller family<V2.9.22.9.2
SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants)<V21.921.9
SIMATIC S7-1200 CPU family (incl. SIPLUS variants)<V4.5.04.5.0
SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants)<V2.9.22.9.2
SIMATIC S7-1500 Software Controller<V21.921.9
SIMATIC S7-PLCSIM Advanced<V4.04.0
SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl. SIPLUS variants)All versionsNo fix (EOL)
Remediation & Mitigation
0/12
Do now
0/3
WORKAROUNDApply password protection for S7 communication on the CPU
WORKAROUNDUse the ENDIS_PW instruction on S7-1200 or S7-1500 CPU to block remote client connections
WORKAROUNDUse the display to configure additional access protection on S7-1500 CPU to block remote client connections
Schedule — requires maintenance window
0/6

Patching may require device reboot — plan for process interruption

SIMATIC Drive Controller family
HOTFIXUpdate SIMATIC Drive Controller family to v2.9.2 or later
SIMATIC S7-1500 Software Controller
HOTFIXUpdate SIMATIC S7-1500 Software Controller to v21.9 or later
SIMATIC S7-PLCSIM Advanced
HOTFIXUpdate SIMATIC S7-PLCSIM Advanced to v4.0 or later
All products
HOTFIXUpdate SIMATIC S7-1200 CPU family to v4.5.0 or later
HOTFIXUpdate SIMATIC S7-1500 CPU family to v2.9.2 or later
HOTFIXUpdate SIMATIC ET 200SP Open Controller CPU 1515SP PC2 to v21.9 or later
Mitigations - no patch available
0/3
SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl. SIPLUS variants) has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGIsolate PLC systems from untrusted networks and the business network using firewalls and network segmentation
HARDENINGUpdate TIA Portal to v17 and implement TLS communication with individual certificates between PLC, HMIs, and engineering workstations
HARDENINGRestrict physical access to critical CPU components
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/0a58f945-6e53-4fdd-946e-cfdf1fcd068b