Siemens SIMATIC S7-200 SMART Devices
Monitor7.5ICS-CERT ICSA-24-261-01Sep 10, 2024
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A vulnerability in all versions of SIMATIC S7-200 SMART CPUs (CR40, CR60, SR20, SR30, SR40, SR60, ST20, ST30, ST40, ST60) allows an attacker to cause a denial of service condition by sending a specially crafted TCP packet to the device. The vulnerability is due to improper handling of network input (CWE-400). Siemens has not released a firmware patch and recommends network protection measures and adherence to industrial security operational guidelines as countermeasures.
What this means
What could happen
An attacker can crash the S7-200 SMART CPU by sending a specially crafted TCP packet, causing the PLC to stop executing your automation program and halt all controlled processes until the device is manually restarted.
Who's at risk
Water utilities, electrical utilities, and other critical infrastructure operators using Siemens SIMATIC S7-200 SMART PLCs (all CPU models: CR40, CR60, SR20, SR30, SR40, SR60, ST20, ST30, ST40, ST60) for process automation and control should assess their exposure. This affects any facility where these compact PLCs control pumps, valves, motors, or other critical equipment.
How it could be exploited
An attacker with network access to the device on the industrial network can send a specially crafted TCP packet to trigger a denial of service condition. The attack requires only network reachability to the CPU and no authentication.
Prerequisites
- Network access to the S7-200 SMART CPU on TCP port (likely 102 for S7 protocol)
- No credentials or authentication required
- Device must be reachable from attacker's network location
remotely exploitableno authentication requiredlow complexityno patch availableaffects safety/control systems
Exploitability
Low exploit probability (EPSS 0.7%)
Affected products (10)
10 EOL
ProductAffected VersionsFix Status
SIMATIC S7-200 SMART CPU CR60All versionsNo fix (EOL)
SIMATIC S7-200 SMART CPU ST40All versionsNo fix (EOL)
SIMATIC S7-200 SMART CPU CR40All versionsNo fix (EOL)
SIMATIC S7-200 SMART CPU SR20All versionsNo fix (EOL)
SIMATIC S7-200 SMART CPU SR30All versionsNo fix (EOL)
SIMATIC S7-200 SMART CPU SR40All versionsNo fix (EOL)
SIMATIC S7-200 SMART CPU SR60All versionsNo fix (EOL)
SIMATIC S7-200 SMART CPU ST20All versionsNo fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1WORKAROUNDImplement firewall rules to restrict inbound network access to the S7-200 SMART CPU. Only allow connections from known engineering workstations and HMI systems on whitelisted IP addresses and ports.
Mitigations - no patch available
0/3The following products have reached End of Life with no planned fix: SIMATIC S7-200 SMART CPU CR60, SIMATIC S7-200 SMART CPU ST40, SIMATIC S7-200 SMART CPU CR40, SIMATIC S7-200 SMART CPU SR20, SIMATIC S7-200 SMART CPU SR30, SIMATIC S7-200 SMART CPU SR40, SIMATIC S7-200 SMART CPU SR60, SIMATIC S7-200 SMART CPU ST20, SIMATIC S7-200 SMART CPU ST30, SIMATIC S7-200 SMART CPU ST60. Apply the following compensating controls:
HARDENINGSegment the industrial network so S7-200 SMART CPUs are not reachable from corporate networks, guest networks, or the internet using VLANs and network access controls.
HARDENINGMonitor Siemens security advisories for patches. Although no fix is currently available, contact Siemens support to understand long-term remediation options and timelines.
HARDENINGFollow Siemens' operational guidelines for Industrial Security to configure the overall IT environment as a protected system.
CVEs (1)
โโ Navigate ยท Esc Close
API:
/api/v1/advisories/536add0f-1cf7-4ceb-8fb8-ec7c87d1e4eb