Denial of Service in OPC UA in Industrial Products

Plan Patch7.5SSA-307392Apr 9, 2019

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in the OPC UA server implementation of several Siemens industrial products allows unauthenticated remote attackers to cause a denial of service by sending crafted input to the OPC UA service. The affected products include SIMATIC S7-1500 CPUs and software controllers, HMI/operator panels (Comfort and KTP series), industrial PCs, SCADA/supervisory systems (SINEC NMS, TeleControl, SINUMERIK), and engineering software (WinCC OA, WinCC Runtime). When the OPC UA service crashes, any control system relying on OPC UA for real-time data exchange or commands becomes unable to communicate with field devices until the service is restarted. Several products do not have vendor updates available.

What this means

What could happen

An attacker can send crafted OPC UA network requests to crash the OPC UA service, disrupting communication between control systems, engineering workstations, and field devices. This could prevent operators from monitoring or adjusting critical processes like PLC logic, motor speeds, or setpoints.

Who's at risk

Manufacturing facilities using Siemens automation products should prioritize this. Affected equipment includes PLCs (S7-1500 family), industrial PCs (ET 200SP Open Controller), HMI operator panels (Comfort Panels, KTP Mobile Panels), engineering software (WinCC OA, WinCC Runtime, SIMATIC NET PC Software), SCADA/remote monitoring systems (SINEC NMS, TeleControl Server, SINUMERIK), and networked RF/IO modules (RF188C, RF600R). Any facility relying on OPC UA for inter-device communication or supervisor control is at risk.

How it could be exploited

An attacker on the network sends malformed OPC UA packets to port 4840 or the configured OPC UA port on the affected device. The OPC UA server fails to handle the invalid input and crashes, severing connectivity for any automation system relying on OPC UA for real-time data or commands. No authentication is required.

Prerequisites

Network access to the OPC UA server port (default port 4840)
OPC UA service must be enabled on the affected product
No credentials or user interaction required

Remotely exploitable over the networkNo authentication requiredLow complexity attackNetwork access only (no special tools needed)Affects core automation communication (OPC UA)Affects systems with no available vendor patch

Exploitability

Moderate exploit probability (EPSS 1.1%)

Affected products (19)

16 with fix3 pending

ProductAffected VersionsFix Status

SIMATIC CP 443-1 OPC UAAll versionsNo fix yet

SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants)< V2.72.7

SIMATIC HMI Comfort Outdoor Panels 7" & 15" (incl. SIPLUS variants)< V15.1 Upd 415.1 Upd4

SIMATIC HMI Comfort Panels 4" - 22" (incl. SIPLUS variants)< V15.1 Upd 415.1 Upd4

SIMATIC HMI KTP Mobile Panels KTP400F, KTP700, KTP700F, KTP900 and KTP900F< V15.1 Upd 415.1 Upd4

Remediation & Mitigation

0/18

Do now

0/1

SIMATIC CP 443-1 OPC UA

WORKAROUNDFor SIMATIC CP 443-1 OPC UA and SIMATIC NET PC Software V13 and V15 (no vendor fix available), implement network-level controls: isolate OPC UA traffic to trusted engineering networks, use firewall rules to restrict access to the OPC UA port (default 4840) from only authorized workstations, and implement network segmentation between field devices and external networks

Schedule — requires maintenance window

0/16

Patching may require device reboot — plan for process interruption

Long-term hardening

0/1

HARDENINGSegment the OPC UA network from the corporate IT network and untrusted zones to limit who can send traffic to OPC UA servers

CVEs (1)

CVE-2019-6575

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close