Siemens Multiple Denial of Service Vulnerabilities in Industrial Products

Plan PatchCVSS 7.5ICS-CERT ICSA-22-349-03Dec 13, 2022

SiemensManufacturingTransportation

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple input validation vulnerabilities (CWE-20, CWE-1284, CWE-1286, CWE-1287) in Siemens SIMATIC CPU firmware allow unauthenticated attackers to cause denial of service by sending specially crafted packets to port 102/TCP. Affected products include SIMATIC S7-1200 and S7-1500 CPU families, SIMATIC Drive Controllers, SIMATIC ET 200SP controllers, SIMATIC S7-PLCSIM Advanced, and related SIPLUS industrial variants. The vulnerabilities impact process control and motion control applications across manufacturing and transportation sectors. No public exploits are known, and exploitation requires only network access without special configuration or credentials.

What this means

What could happen

An attacker can crash Siemens PLC/controller CPUs from the network without credentials, stopping production processes until the device is manually restarted. Affected systems include S7-1200, S7-1500, Drive Controllers, and ET 200SP controllers used across manufacturing and transportation plants.

Who's at risk

Manufacturing plants and transportation systems using Siemens SIMATIC CPUs should prioritize this. Specifically: operators of S7-1200 and S7-1500 PLCs (most common in water/wastewater treatment, electrical substations, and process control), SIMATIC ET 200SP controllers in modular automation systems, SIMATIC Drive Controllers in conveyor and motor control applications, and any facility running SIMATIC S7-PLCSIM Advanced for testing/training environments.

How it could be exploited

An attacker with network access to port 102/TCP can send specially crafted packets to trigger input validation flaws in the firmware, causing the CPU to become unresponsive. The attacker needs only network reachability—no authentication or special configuration is required.

Prerequisites

Network access to port 102/TCP on affected CPU
No authentication credentials required
Ability to send Ethernet packets to the device

Remotely exploitableNo authentication requiredLow complexity attackAffects critical control devicesNetwork-accessible if improperly exposed

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (77)

77 with fix

ProductAffected VersionsFix Status

SIMATIC Drive Controller CPU 1504D TF<V2.9.72.9.7

SIMATIC Drive Controller CPU 1507D TF<V2.9.72.9.7

SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants)<V21.9.721.9.7

SIMATIC S7-1200 CPU family (incl. SIPLUS variants)<V4.6.04.6.0

SIMATIC S7-1500 CPU 1510SP F-1 PN<V2.9.72.9.7

Remediation & Mitigation

0/10

Do now

0/1

WORKAROUNDRestrict network access to port 102/TCP using external firewalls to allow only trusted engineering workstations and supervisory systems

Schedule — requires maintenance window

0/7

Patching may require device reboot — plan for process interruption

SIMATIC S7-1500 Software Controller V2

HOTFIXUpdate SIMATIC S7-1500 Software Controller V2 to firmware V21.9.7 or later

SIMATIC S7-PLCSIM Advanced

HOTFIXUpdate SIMATIC S7-PLCSIM Advanced to version V5.0 or later

SIPLUS TIM 1531 IRC

HOTFIXUpdate TIM 1531 IRC and SIPLUS TIM 1531 IRC to firmware V2.3.6 or later

All products

HOTFIXUpdate SIMATIC Drive Controller to firmware V3.0.1 or later

HOTFIXUpdate SIMATIC S7-1500 CPU family (all variants including ET200 CPUs and SIPLUS) to firmware V3.0.1 or later

HOTFIXUpdate SIMATIC S7-1200 CPU family (including SIPLUS variants) to firmware V4.6.0 or later

HOTFIXUpdate SIMATIC ET 200SP Open Controller CPU 1515SP PC2 to firmware V21.9.7 or later

Long-term hardening

0/2

HARDENINGIsolate PLC networks from business networks and the Internet using firewalls and network segmentation

HARDENINGImplement network access controls to ensure control system devices are not directly reachable from the Internet

CVEs (4)

CVE-2021-40365 CVE-2021-44693 CVE-2021-44694 CVE-2021-44695

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/566ddd9e-405c-4c5c-bf24-74d7e6cdfc65

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.