Siemens SIMATIC Industrial Products (Update A)
Plan Patch7.5ICS-CERT ICSA-22-041-01Feb 8, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Three vulnerabilities in Siemens SIMATIC firmware (CWE-672 improper validation, CWE-401 missing release of resources) allow unauthenticated attackers to cause denial of service conditions under certain network conditions. The vulnerabilities affect multiple SIMATIC product families including Drive Controllers, S7-1200, S7-1500, ET 200SP controllers, and TIM 1531 IRC devices. Siemens has released firmware updates for most products; however, SIMATIC ET 200SP CPU 1515SP PC and CPU 1515SP PC2 Ready4Linux (all versions) have no fix available and require network-level protection instead.
What this means
What could happen
An unauthenticated attacker on the network could trigger a denial of service condition that disrupts or halts PLC operations, interrupting production, water treatment, or power distribution processes depending on the device's role.
Who's at risk
Manufacturing plants, municipal utilities, and water treatment facilities using Siemens SIMATIC controllers (S7-1200, S7-1500, Drive Controller, ET 200SP, PLCSIM, and TIM devices) are affected. This includes both hardwired PLCs and software-based controllers used in critical process automation and safety systems.
How it could be exploited
An attacker with network access to the affected Siemens controller sends specially crafted packets to trigger the vulnerability, causing the device to stop responding or crash. No authentication is required and the attack can be executed remotely if the device is reachable from the attacker's network segment.
Prerequisites
- Network access to the affected Siemens controller on ports used for Siemens communication (typically 102 for S7 protocol)
- No valid credentials required
- Device must be running a vulnerable firmware version
remotely exploitableno authentication requiredlow complexityhigh availability impact (denial of service)affects production and safety-critical operations
Exploitability
Moderate exploit probability (EPSS 2.0%)
Affected products (16)
15 with fix1 EOL
ProductAffected VersionsFix Status
SIMATIC ET 200SP Open Controller CPU 1515SP PC2 Ready4LinuxAll versions21.9.4
SIMATIC Drive Controller family≥ V2.9.2<V2.9.42.9.4
SIMATIC Drive Controller family<V2.9.22.9.4
SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants)≥ V21.9<V21.9.421.9.4
SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants)<V21.921.9.4
Remediation & Mitigation
0/11
Do now
0/1WORKAROUNDRestrict network access to SIMATIC ET 200SP Open Controller CPU 1515SP PC and CPU 1515SP PC2 Ready4Linux devices that cannot be patched using firewall rules, allowing communication only from authorized engineering workstations and operator interfaces
Schedule — requires maintenance window
0/8Patching may require device reboot — plan for process interruption
SIMATIC Drive Controller family
HOTFIXUpdate SIMATIC Drive Controller family to v2.9.4 or later
SIMATIC S7-1500 Software Controller
HOTFIXUpdate SIMATIC S7-1500 Software Controller to v21.9.4 or later
SIMATIC S7-PLCSIM Advanced
HOTFIXUpdate SIMATIC S7-PLCSIM Advanced to v4.0 SP1 or later
SIPLUS TIM 1531 IRC
HOTFIXUpdate SIPLUS TIM 1531 IRC to v2.3.6 or later
TIM 1531 IRC
HOTFIXUpdate TIM 1531 IRC to v2.3.6 or later
All products
HOTFIXUpdate SIMATIC ET 200SP Open Controller CPU 1515SP PC2 to v21.9.4 or later
HOTFIXUpdate SIMATIC S7-1200 CPU family to v4.5.2 or later
HOTFIXUpdate SIMATIC S7-1500 CPU family to v2.9.4 or later
Mitigations - no patch available
0/2SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl. SIPLUS variants) has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGIsolate control system networks from the business network and prevent direct Internet access to all affected Siemens devices
HARDENINGDeploy Siemens-recommended industrial security practices including appropriate authentication mechanisms and network segmentation as documented in Siemens operational guidelines
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/f40f20f9-2388-4b38-a5a2-8ffebcca802c