Siemens SIMATIC S7-1200 CPU V1/V2 Devices

Plan PatchCVSS 7.5ICS-CERT ICSA-25-294-03Jun 10, 2011

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SIMATIC S7-1200 CPU V1 and V2 controllers (including SIPLUS variants) contain two vulnerabilities: CVE-2011-20001 allows an unauthenticated remote attacker to trigger functions through record and playback of legitimate network communications; CVE-2011-20002 allows an attacker to place the controller in stop/defect state by causing a communications error. Both require network access to the controller but no valid credentials. Siemens has released firmware updates addressing both issues: V2.0.3 for CVE-2011-20001 and V2.0.2 for CVE-2011-20002. The web server can be disabled as a mitigation for CVE-2011-20001.

What this means

What could happen

An attacker could replay legitimate network commands to trigger unintended functions on the PLC (e.g., alter setpoints, change valve positions), or force the controller into a stop/defect state, halting all automated operations.

Who's at risk

Water and electric utilities operating Siemens SIMATIC S7-1200 CPU controllers (V1 or V2 variants, including SIPLUS industrial variants) for process control, pump stations, motor control, or pressure/level regulation should evaluate exposure. Smaller facilities with process automation are particularly at risk if these PLCs are networked with engineering workstations or SCADA systems.

How it could be exploited

An attacker with network access to the PLC can capture legitimate Modbus TCP or PROFINET traffic (commands sent from an engineering workstation or SCADA system), replay those captured packets back to the device to trigger the same function, or send specially crafted packets to cause a communications error that stops the controller.

Prerequisites

Network access to port 502 (Modbus TCP) or port 161/162 (SNMP) or the PROFINET Ethernet interface on the S7-1200 CPU
No authentication required; vulnerabilities are pre-authentication
Ability to capture or craft network packets (attacker must see legitimate traffic or know valid command structure)

remotely exploitableno authentication requiredlow complexityaffects control system availabilityno patch available yet for some installations (V2.0.2 and V2.0.3 are recent)

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

SIMATIC S7-1200 CPU V1 family (incl. SIPLUS variants)< 2.0.32.0.3

SIMATIC S7-1200 CPU V1 family (incl. SIPLUS variants)< 2.0.22.0.2

SIMATIC S7-1200 CPU V2 family (incl. SIPLUS variants)< 2.0.32.0.3

SIMATIC S7-1200 CPU V2 family (incl. SIPLUS variants)< 2.0.22.0.2

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDDisable the web server on affected CPUs if not required for operations

HARDENINGRestrict network access to S7-1200 CPUs using firewall rules; ensure they are not reachable from the internet or untrusted networks

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SIMATIC S7-1200 CPU V1 to firmware version 2.0.3 or later

HOTFIXUpdate SIMATIC S7-1200 CPU V2 to firmware version 2.0.3 or later

Long-term hardening

0/2

HARDENINGImplement network segmentation to isolate control system networks from business networks

HARDENINGIf remote access is required, use VPN with encryption and strong authentication to reach engineering workstations

CVEs (2)

CVE-2011-20001 CVE-2011-20002

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/92c56424-f481-43db-8a43-7e5b9f7d79d8

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.