Message Integrity Protection Bypass Vulnerability in SIMATIC Products
Low Risk3.7SSA-273799Dec 10, 2019
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
A message integrity protection bypass vulnerability exists in multiple SIMATIC products that allows a Man-in-the-Middle attacker to modify network traffic exchanged on port 102/tcp to PLCs of the SIMATIC S7-1200, SIMATIC S7-1500, and SIMATIC SoftwareController CPU families. The vulnerability affects control logic communication, message integrity, and device-to-device authentication.
What this means
What could happen
An attacker positioned on the network between an engineering workstation and a PLC could intercept and modify control commands or logic downloads, potentially altering process operations or introducing malicious logic without detection. This is a critical integrity issue for manufacturing and critical infrastructure systems.
Who's at risk
Manufacturing and transportation facilities using Siemens SIMATIC control systems. Specifically: operators of S7-1200 and S7-1500 PLCs, engineering teams using STEP 7 TIA Portal, and facilities relying on SIMATIC HMI panels (WinCC) for process monitoring. Also affects remote engineering workstations connecting to PLCs over IP networks.
How it could be exploited
An attacker on the same network segment (or with network access to port 102/tcp) intercepts traffic between engineering workstations and S7-1200/S7-1500 PLCs. The attacker modifies the traffic to change control parameters, alter logic, or inject malicious code while bypassing the integrity check. No authentication is required if the attacker is already network-adjacent to the control system.
Prerequisites
- Network access to port 102/tcp between engineering workstations and target PLCs
- Ability to perform Man-in-the-Middle attack (network position on same segment or routing path)
- No encryption or integrity verification on affected protocol versions
remotely exploitableno authentication requiredlow complexityaffects multiple critical product familiesaffects safety and process control integrityseveral products without vendor fix available
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (10)
7 with fix3 EOL
ProductAffected VersionsFix Status
SIMATIC NET PC Software V14< V14 SP1 Update 1414 SP1 Update 14
SIMATIC STEP 7 (TIA Portal)< V1616
SIMATIC WinCC (TIA Portal)< V1616
SIMATIC WinCC OA< V3.16 P0133.16 P013
SIMATIC WinCC Runtime Advanced< V1616
SIMATIC WinCC Runtime Professional< V1616
TIM 1531 IRC (incl. SIPLUS NET variants)< V2.12.1
SIMATIC CP 1626All versionsNo fix (EOL)
Remediation & Mitigation
0/9
Do now
0/1SIMATIC CP 1626
HARDENINGFor SIMATIC CP 1626, SIMATIC HMI Panel, and SIMATIC NET PC Software V15 (no vendor fix available): implement network segmentation and firewall rules to restrict port 102/tcp access to only authorized engineering workstations and trusted networks
Schedule — requires maintenance window
0/7Patching may require device reboot — plan for process interruption
SIMATIC NET PC Software V14
HOTFIXUpdate SIMATIC NET PC Software V14 to SP1 Update 14 or later
SIMATIC STEP 7 (TIA Portal)
HOTFIXUpdate SIMATIC STEP 7 (TIA Portal) to V16 or later
HOTFIXUpdate SIMATIC WinCC (TIA Portal) to V16 or later
SIMATIC WinCC OA
HOTFIXUpdate SIMATIC WinCC OA to V3.16 P013 or later
SIMATIC WinCC Runtime Advanced
HOTFIXUpdate SIMATIC WinCC Runtime Advanced to V16 or later
SIMATIC WinCC Runtime Professional
HOTFIXUpdate SIMATIC WinCC Runtime Professional to V16 or later
All products
HOTFIXUpdate TIM 1531 IRC to V2.1 or later
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: SIMATIC CP 1626, SIMATIC HMI Panel (incl. SIPLUS variants), SIMATIC NET PC Software V15. Apply the following compensating controls:
HARDENINGUse secure network architecture to prevent Man-in-the-Middle attacks: deploy VPN or IPsec encryption for remote engineering access, isolate control system network from corporate network, restrict physical and logical access to engineering network segment
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/adacc096-80e2-42f0-8cc4-ea891f61f9fb