Siemens Multiple Denial of Service Vulnerabilities in Industrial Products
Plan Patch7.5ICS-CERT ICSA-22-349-03Dec 13, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Multiple input validation vulnerabilities (CWE-20, CWE-1284, CWE-1286, CWE-1287) in Siemens SIMATIC CPU firmware allow unauthenticated attackers to cause denial of service by sending specially crafted packets to port 102/TCP. Affected products include SIMATIC S7-1200 and S7-1500 CPU families, SIMATIC Drive Controllers, SIMATIC ET 200SP controllers, SIMATIC S7-PLCSIM Advanced, and related SIPLUS industrial variants. The vulnerabilities impact process control and motion control applications across manufacturing and transportation sectors. No public exploits are known, and exploitation requires only network access without special configuration or credentials.
What this means
What could happen
An attacker can crash Siemens PLC/controller CPUs from the network without credentials, stopping production processes until the device is manually restarted. Affected systems include S7-1200, S7-1500, Drive Controllers, and ET 200SP controllers used across manufacturing and transportation plants.
Who's at risk
Manufacturing plants and transportation systems using Siemens SIMATIC CPUs should prioritize this. Specifically: operators of S7-1200 and S7-1500 PLCs (most common in water/wastewater treatment, electrical substations, and process control), SIMATIC ET 200SP controllers in modular automation systems, SIMATIC Drive Controllers in conveyor and motor control applications, and any facility running SIMATIC S7-PLCSIM Advanced for testing/training environments.
How it could be exploited
An attacker with network access to port 102/TCP can send specially crafted packets to trigger input validation flaws in the firmware, causing the CPU to become unresponsive. The attacker needs only network reachability—no authentication or special configuration is required.
Prerequisites
- Network access to port 102/TCP on affected CPU
- No authentication credentials required
- Ability to send Ethernet packets to the device
Remotely exploitableNo authentication requiredLow complexity attackAffects critical control devicesNetwork-accessible if improperly exposed
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (77)
77 with fix
ProductAffected VersionsFix Status
SIMATIC Drive Controller CPU 1504D TF<V2.9.72.9.7
SIMATIC Drive Controller CPU 1507D TF<V2.9.72.9.7
SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants)<V21.9.721.9.7
SIMATIC S7-1200 CPU family (incl. SIPLUS variants)<V4.6.04.6.0
SIMATIC S7-1500 CPU 1510SP F-1 PN<V2.9.72.9.7
Remediation & Mitigation
0/10
Do now
0/1WORKAROUNDRestrict network access to port 102/TCP using external firewalls to allow only trusted engineering workstations and supervisory systems
Schedule — requires maintenance window
0/7Patching may require device reboot — plan for process interruption
SIMATIC S7-1500 Software Controller V2
HOTFIXUpdate SIMATIC S7-1500 Software Controller V2 to firmware V21.9.7 or later
SIMATIC S7-PLCSIM Advanced
HOTFIXUpdate SIMATIC S7-PLCSIM Advanced to version V5.0 or later
SIPLUS TIM 1531 IRC
HOTFIXUpdate TIM 1531 IRC and SIPLUS TIM 1531 IRC to firmware V2.3.6 or later
All products
HOTFIXUpdate SIMATIC Drive Controller to firmware V3.0.1 or later
HOTFIXUpdate SIMATIC S7-1500 CPU family (all variants including ET200 CPUs and SIPLUS) to firmware V3.0.1 or later
HOTFIXUpdate SIMATIC S7-1200 CPU family (including SIPLUS variants) to firmware V4.6.0 or later
HOTFIXUpdate SIMATIC ET 200SP Open Controller CPU 1515SP PC2 to firmware V21.9.7 or later
Long-term hardening
0/2HARDENINGIsolate PLC networks from business networks and the Internet using firewalls and network segmentation
HARDENINGImplement network access controls to ensure control system devices are not directly reachable from the Internet
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/566ddd9e-405c-4c5c-bf24-74d7e6cdfc65