OTPulse

Siemens SIMATIC S7-1500 CPUs

MonitorCVSS 5.3ICS-CERT ICSA-24-284-10Oct 8, 2024
SiemensManufacturingTransportation
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Several SIMATIC S7-1500 CPU versions contain an authentication bypass vulnerability that allows unauthenticated remote attackers to query and learn the actual and configured maximum cycle times and communication load metrics of the CPU. The vulnerability exists across SIMATIC S7-1500 CPUs, SIMATIC ET 200SP CPUs, SIMATIC Drive Controller CPUs, and related variants including SIPLUS hardened models and software-based controllers. Affected firmware versions are generally those before 2.9.8 or 3.1.4 (depending on CPU model generation). Siemens has released firmware updates for most products. For SIMATIC S7-1500 Software Controller Linux V2, no fix is planned and network isolation is the recommended mitigation.

What this means
What could happen
An unauthenticated attacker on the network can query a vulnerable S7-1500 CPU to learn its cycle times and communication load metrics. While this disclosure is limited in scope, the information could be used to refine follow-up attacks targeting the CPU's operational parameters or real-time behavior.
Who's at risk
Water utilities, electric utilities, and manufacturing plants operating SIMATIC S7-1500 series PLCs and ET 200SP intelligent I/O modules should assess their inventory. This affects the core programmable logic controllers that manage pump stations, treatment processes, power distribution systems, and production lines. Both hardware CPUs and software-based controllers are affected.
How it could be exploited
An attacker with network reachability to the CPU's Ethernet port can send an unauthenticated S7 communication request to query cycle time and load information from the CPU. No credentials or special authentication are required. The attacker sends a crafted protocol message that bypasses authentication checks for this specific information endpoint.
Prerequisites
  • Network reachability to CPU Ethernet port (default port 102 for S7 communication)
  • No credentials required
remotely exploitableno authentication requiredlow complexityaffects production monitoring (disclosure of cycle time metrics)
Exploitability
Unlikely to be exploited — EPSS score 0.2%
Affected products (105)
104 with fix1 pending
ProductAffected VersionsFix Status
SIMATIC Drive Controller CPU 1504D TF< 3.1.43.1.4
SIMATIC Drive Controller CPU 1507D TF< 3.1.43.1.4
SIMATIC ET 200SP CPU 1510SP F-1 PN< 2.9.82.9.8
SIMATIC ET 200SP CPU 1510SP F-1 PN< 3.1.43.1.4
SIMATIC ET 200SP CPU 1510SP-1 PN< 2.9.82.9.8
Remediation & Mitigation
0/4
Do now
0/2
SIMATIC S7-1500 Software Controller Linux V2
WORKAROUNDFor SIMATIC S7-1500 Software Controller Linux V2 (all versions), apply network access controls to restrict S7 communication (port 102) to authorized engineering workstations only, as no firmware fix is available.
All products
HARDENINGRestrict network access to port 102 (S7 communication protocol) on all S7-1500 CPUs to only authorized SCADA networks and engineering workstations. Block access from untrusted networks or the internet using firewall rules.
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SIMATIC S7-1500 CPUs to firmware version 3.1.4 or later (or 2.9.8 for V2 controllers). Consult Siemens documentation for your specific CPU model to determine the correct fixed version.
Long-term hardening
0/1
HARDENINGImplement network segmentation to isolate S7-1500 CPUs on a protected industrial network segment separate from general IT networks and guest access.
View full CISA ICS-CERT advisory
API: /api/v1/advisories/f3421864-0264-4bae-ac81-58971636caf2

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Siemens SIMATIC S7-1500 CPUs | CVSS 5.3 - OTPulse