Siemens SIMATIC S7-1200 CPU V1/V2 Devices
Plan Patch7.5ICS-CERT ICSA-25-294-03Jun 10, 2011
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
SIMATIC S7-1200 CPU V1 and V2 controllers (including SIPLUS variants) contain two vulnerabilities: CVE-2011-20001 allows an unauthenticated remote attacker to trigger functions through record and playback of legitimate network communications; CVE-2011-20002 allows an attacker to place the controller in stop/defect state by causing a communications error. Both require network access to the controller but no valid credentials. Siemens has released firmware updates addressing both issues: V2.0.3 for CVE-2011-20001 and V2.0.2 for CVE-2011-20002. The web server can be disabled as a mitigation for CVE-2011-20001.
What this means
What could happen
An attacker could replay legitimate network commands to trigger unintended functions on the PLC (e.g., alter setpoints, change valve positions), or force the controller into a stop/defect state, halting all automated operations.
Who's at risk
Water and electric utilities operating Siemens SIMATIC S7-1200 CPU controllers (V1 or V2 variants, including SIPLUS industrial variants) for process control, pump stations, motor control, or pressure/level regulation should evaluate exposure. Smaller facilities with process automation are particularly at risk if these PLCs are networked with engineering workstations or SCADA systems.
How it could be exploited
An attacker with network access to the PLC can capture legitimate Modbus TCP or PROFINET traffic (commands sent from an engineering workstation or SCADA system), replay those captured packets back to the device to trigger the same function, or send specially crafted packets to cause a communications error that stops the controller.
Prerequisites
- Network access to port 502 (Modbus TCP) or port 161/162 (SNMP) or the PROFINET Ethernet interface on the S7-1200 CPU
- No authentication required; vulnerabilities are pre-authentication
- Ability to capture or craft network packets (attacker must see legitimate traffic or know valid command structure)
remotely exploitableno authentication requiredlow complexityaffects control system availabilityno patch available yet for some installations (V2.0.2 and V2.0.3 are recent)
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (4)
4 with fix
ProductAffected VersionsFix Status
SIMATIC S7-1200 CPU V1 family (incl. SIPLUS variants)< 2.0.32.0.3
SIMATIC S7-1200 CPU V1 family (incl. SIPLUS variants)< 2.0.22.0.2
SIMATIC S7-1200 CPU V2 family (incl. SIPLUS variants)< 2.0.32.0.3
SIMATIC S7-1200 CPU V2 family (incl. SIPLUS variants)< 2.0.22.0.2
Remediation & Mitigation
0/6
Do now
0/2WORKAROUNDDisable the web server on affected CPUs if not required for operations
HARDENINGRestrict network access to S7-1200 CPUs using firewall rules; ensure they are not reachable from the internet or untrusted networks
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXUpdate SIMATIC S7-1200 CPU V1 to firmware version 2.0.3 or later
HOTFIXUpdate SIMATIC S7-1200 CPU V2 to firmware version 2.0.3 or later
Long-term hardening
0/2HARDENINGImplement network segmentation to isolate control system networks from business networks
HARDENINGIf remote access is required, use VPN with encryption and strong authentication to reach engineering workstations
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/92c56424-f481-43db-8a43-7e5b9f7d79d8