Denial of Service Vulnerabilities in SIMATIC S7-400 CPUs

Plan Patch8.2SSA-113131Nov 13, 2018

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Two denial of service vulnerabilities exist in the SIMATIC S7-400 CPU family that allow an attacker with Ethernet/PROFIBUS/MPI access to port 102/tcp to crash the CPU firmware without authentication. The vulnerabilities stem from improper input validation (CWE-20, CWE-347) of protocol packets. Affected products range from older S7-400 H variants through newer S7-410 CPUs. Siemens has released patches for select recent models (414F-3 PN/DP, 416-3 PN/DP, 416F-3 PN/DP, 412-2 PN, 414-3 PN/DP V7 to v7.0.3; S7-400 H V6 to v6.0.9; S7-410 to v8.2.1) but many product variants remain unpatched and will not receive fixes.

What this means

What could happen

An attacker with network access to port 102/tcp can send malformed packets to cause a SIMATIC S7-400 CPU to crash or stop responding, disrupting production on any process controlled by that PLC until it is manually restarted.

Who's at risk

Water treatment plants, electric utilities, and other process industries relying on SIMATIC S7-400 PLCs should assess whether any of the affected CPU models are running production processes. The S7-400 H family and older S7-400 variants deployed in mission-critical operations with no fix available are at highest risk of unpatched exposure.

How it could be exploited

An attacker on a network segment with Ethernet access to the S7-400 CPU sends specially crafted packets to port 102/tcp (the standard S7 communication protocol). The malformed packets exploit input validation flaws that crash the CPU firmware without requiring any credentials or authentication, causing the device to become unresponsive.

Prerequisites

Network access to port 102/tcp (Ethernet, PROFIBUS, or MPI) to the affected S7-400 CPU
No credentials or engineering access required

Remotely exploitable over EthernetNo authentication requiredLow complexity attackNo patch available for 12+ product variantsCVSS 8.2 (High)Input validation flaw (CWE-20)

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (21)

9 with fix12 pending

ProductAffected VersionsFix Status

SIMATIC S7-400 CPU 414F-3 PN/DP V7< V7.0.37.0.3

SIMATIC S7-400 CPU 416-2 DP V7All versionsNo fix yet

SIMATIC S7-400 CPU 416-3 DP V7All versionsNo fix yet

SIMATIC S7-400 CPU 416-3 PN/DP V7< V7.0.37.0.3

SIMATIC S7-400 CPU 416F-2 DP V7All versionsNo fix yet

Remediation & Mitigation

0/5

Do now

0/2

HARDENINGFor products without available patches (CPU 416-2 DP, 416-3 DP, 416F-2 DP, 417-4 DP, 412-1 DP, 412-2 DP, 414-2 DP, 414-3 DP, S7-400 H V4.5 and below, S7-400 PN/DP V6 and below), implement network-based access controls to restrict Ethernet, PROFIBUS, and MPI communication to port 102/tcp to only authorized engineering workstations and SCADA systems

HARDENINGIsolate S7-400 CPUs without patches using network segmentation or air-gapping from untrusted networks; ensure only trusted internal engineering and process networks can reach port 102/tcp

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SIMATIC S7-400 CPU 414F-3 PN/DP, 416-3 PN/DP, 416F-3 PN/DP, 412-2 PN, and 414-3 PN/DP V7 models to firmware version 7.0.3 or later

HOTFIXUpdate SIMATIC S7-400 H V6 CPU family to firmware version 6.0.9 or later

HOTFIXUpdate SIMATIC S7-410 CPU family to firmware version 8.2.1 or later

CVEs (2)

CVE-2018-16556 CVE-2018-16557

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/71302b8b-a749-4f0d-ae8d-8300cbc0b4e3