Siemens SIMATIC S7-1200 and S7-1500 CPU Families (Update A)

Plan PatchCVSS 8.1ICS-CERT ICSA-21-152-01May 28, 2021

SiemensManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

SIMATIC S7-1200 and S7-1500 CPU families contain a memory protection bypass vulnerability (CWE-119) that could allow an attacker to write arbitrary data and code to protected memory areas or read sensitive data. The vulnerability affects the SIMATIC Drive Controller family, SIMATIC S7-1200 CPU family, SIMATIC S7-1500 CPU family, SIMATIC ET 200SP Open Controller CPU 1515SP PC2, SIMATIC S7-1500 Software Controller, and SIMATIC S7-PLCSIM Advanced. The attack has high complexity and requires network access to the PLC. Siemens has released firmware updates for most products, though SIMATIC ET 200SP Open Controller CPU 1515SP PC (non-PC2 variant) has no fix available.

What this means

What could happen

An attacker could bypass memory protection on SIMATIC S7-1200 and S7-1500 CPUs to read sensitive data or write arbitrary code to protected memory, potentially allowing them to alter process logic, change setpoints, or disable safety functions.

Who's at risk

Manufacturing facilities using Siemens SIMATIC S7-1200 or S7-1500 CPUs, SIMATIC Drive Controllers, SIMATIC ET 200SP Open Controllers, and related variants. This affects both the industrial CPUs themselves and software controllers used in process automation systems for control and monitoring.

How it could be exploited

An attacker with network access to the PLC could craft a specially designed S7 communication packet that exploits the memory protection bypass. This allows writing data to protected memory regions where control logic and safety parameters are stored, or reading sensitive data to facilitate further attacks.

Prerequisites

Network access to the PLC on port 102 (S7 communication)
S7 communication must be enabled on the target CPU
High attack complexity suggests specific knowledge of memory layout and protection mechanisms is required

remotely exploitablehigh attack complexitymemory protection bypassaffects critical control logic

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (10)

9 with fix1 EOL

ProductAffected VersionsFix Status

SINAMICS PERFECT HARMONY GH180 DrivesDrives manufactured before 2021-08-13Drives manufactured 2021-08-13+

SINUMERIK MC< V6.156.15

SINUMERIK ONE< V6.156.15

SIMATIC Drive Controller family<V2.9.22.9.2

SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants)<V21.921.9

SIMATIC S7-1200 CPU family (incl. SIPLUS variants)<V4.5.04.5.0

SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants)<V2.9.22.9.2

SIMATIC S7-1500 Software Controller<V21.921.9

Remediation & Mitigation

0/12

Do now

0/3

WORKAROUNDApply password protection for S7 communication on the CPU

WORKAROUNDUse the ENDIS_PW instruction on S7-1200 or S7-1500 CPU to block remote client connections

WORKAROUNDUse the display to configure additional access protection on S7-1500 CPU to block remote client connections

Schedule — requires maintenance window

0/6

Patching may require device reboot — plan for process interruption

SIMATIC Drive Controller family

HOTFIXUpdate SIMATIC Drive Controller family to v2.9.2 or later

SIMATIC S7-1500 Software Controller

HOTFIXUpdate SIMATIC S7-1500 Software Controller to v21.9 or later

SIMATIC S7-PLCSIM Advanced

HOTFIXUpdate SIMATIC S7-PLCSIM Advanced to v4.0 or later

All products

HOTFIXUpdate SIMATIC S7-1200 CPU family to v4.5.0 or later

HOTFIXUpdate SIMATIC S7-1500 CPU family to v2.9.2 or later

HOTFIXUpdate SIMATIC ET 200SP Open Controller CPU 1515SP PC2 to v21.9 or later

Mitigations - no patch available

0/3

SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl. SIPLUS variants) has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:

HARDENINGIsolate PLC systems from untrusted networks and the business network using firewalls and network segmentation

HARDENINGUpdate TIA Portal to v17 and implement TLS communication with individual certificates between PLC, HMIs, and engineering workstations

HARDENINGRestrict physical access to critical CPU components

CVEs (1)

CVE-2020-15782

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0a58f945-6e53-4fdd-946e-cfdf1fcd068b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.