OTPulse
FeedAboutContact

Siemens SIMATIC S7-200 SMART Devices

Plan Patch8.2ICS-CERT ICSA-24-165-02Jun 11, 2024
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

SIMATIC S7-200 SMART devices contain an information disclosure vulnerability related to predictable IP ID sequence numbers. This allows attackers to infer network traffic patterns and could enable denial of service attacks. Affected models include CR40, CR60, SR20, SR30, SR40, SR60, ST20, ST30, ST40, and ST60 across all versions. No vendor fix is available.

What this means
What could happen
An attacker could infer network traffic patterns on your production network and create denial of service conditions against the PLC, potentially interrupting process control or monitoring functions.
Who's at risk
Water and electric utilities operating Siemens SIMATIC S7-200 SMART PLCs (CR, SR, and ST series) in their process control networks should prioritize this. These are small, hardened PLCs commonly deployed in pump stations, SCADA substations, and remote telemetry units. Vulnerability allows traffic inference and denial of service attacks.
How it could be exploited
An attacker on the network observes predictable IP ID values in packets from the S7-200 SMART device. By analyzing these sequences, the attacker can infer whether specific network traffic is occurring, then craft packets to disrupt or spoof communications to the device, causing it to become unavailable.
Prerequisites
  • Network access to the S7-200 SMART device or visibility of its network traffic
  • Ability to send and observe IP packets on the network segment
remotely exploitableno patch availablepredictable cryptographic implementation
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (10)
10 EOL
ProductAffected VersionsFix Status
SIMATIC S7-200 SMART CPU CR60All versionsNo fix (EOL)
SIMATIC S7-200 SMART CPU SR20All versionsNo fix (EOL)
SIMATIC S7-200 SMART CPU SR30All versionsNo fix (EOL)
SIMATIC S7-200 SMART CPU SR60All versionsNo fix (EOL)
SIMATIC S7-200 SMART CPU ST20All versionsNo fix (EOL)
SIMATIC S7-200 SMART CPU ST30All versionsNo fix (EOL)
SIMATIC S7-200 SMART CPU ST40All versionsNo fix (EOL)
SIMATIC S7-200 SMART CPU ST60All versionsNo fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2
HARDENINGImplement network segmentation and firewalls to restrict access to S7-200 SMART devices. Allow only authorized engineering workstations and SCADA servers to communicate with these devices.
HARDENINGMonitor network traffic to and from S7-200 SMART devices for unexpected connections or denial of service patterns.
Mitigations - no patch available
0/2
The following products have reached End of Life with no planned fix: SIMATIC S7-200 SMART CPU CR60, SIMATIC S7-200 SMART CPU SR20, SIMATIC S7-200 SMART CPU SR30, SIMATIC S7-200 SMART CPU SR60, SIMATIC S7-200 SMART CPU ST20, SIMATIC S7-200 SMART CPU ST30, SIMATIC S7-200 SMART CPU ST40, SIMATIC S7-200 SMART CPU ST60, SIMATIC S7-200 SMART CPU CR40, SIMATIC S7-200 SMART CPU SR40. Apply the following compensating controls:
HARDENINGReview and follow Siemens' operational guidelines for Industrial Security and product-specific manuals for additional protective measures.
HARDENINGEvaluate migration or replacement of S7-200 SMART devices with newer Siemens platforms (S7-1200, S7-1500) that may receive security updates.
View full CISA ICS-CERT advisory
โ†‘โ†“ Navigate ยท Esc Close
API: /api/v1/advisories/a87c5caa-41d8-4bd8-9bf9-abf67dff997a
Siemens SIMATIC S7-200 SMART Devices | CVSS 8.2 - OTPulse