Multiple Denial of Service Vulnerabilities in Industrial Products
Plan Patch7.5SSA-382653Dec 13, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Multiple denial of service vulnerabilities in Siemens SIMATIC firmware allow unauthenticated network attackers to crash or disable affected PLCs and controllers. The vulnerabilities stem from improper input validation and error handling that can be triggered by sending specially crafted network packets. Affected products include the SIMATIC S7-1200 and S7-1500 CPU families, Drive Controllers, ET 200SP controllers, TIM industrial routers, S7-1500 Software Controller V2, and S7-PLCSIM Advanced. The vulnerabilities do not require authentication or special configuration to exploit.
What this means
What could happen
An attacker on the network could send crafted packets to crash or temporarily disable SIMATIC PLCs and controllers, causing production downtime and loss of process control.
Who's at risk
Manufacturing facilities and transportation systems using Siemens SIMATIC S7-1200 and S7-1500 PLC families, Drive Controllers, ET 200 series, TIM industrial routers, and PLCSIM simulation software. This affects automation engineers, production teams, and anyone dependent on continuous PLC operation.
How it could be exploited
An attacker with network access to a vulnerable SIMATIC PLC or controller could send specially crafted packets to trigger an unhandled exception or infinite loop in the firmware, causing the device to become unresponsive. No authentication or special configuration is required.
Prerequisites
- Network access to the PLC/controller (Ethernet, port 102 for S7 communication or 21 for TIM devices)
- Device must be running a vulnerable firmware version
- No credentials required
Remotely exploitableNo authentication requiredLow complexity attackHigh impact on process availabilityWide range of products affectedDefault network accessibility of PLCs
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (77)
77 with fix
ProductAffected VersionsFix Status
SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL< V2.9.72.9.7
SIMATIC Drive Controller CPU 1504D TF< V2.9.72.9.7
SIMATIC Drive Controller CPU 1507D TF< V2.9.72.9.7
SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants)< V21.9.721.9.7
SIMATIC S7-1200 CPU family (incl. SIPLUS variants)< V4.6.04.6.0
Remediation & Mitigation
0/11
Schedule — requires maintenance window
0/10Patching may require device reboot — plan for process interruption
SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL
HOTFIXUpdate SIPLUS S7-1500 CPU 1511-1 PN T1 RAIL firmware to version 2.9.7 or later
SIMATIC Drive Controller CPU 1504D TF
HOTFIXUpdate SIMATIC Drive Controller CPU 1504D TF firmware to version 2.9.7 or later
SIMATIC Drive Controller CPU 1507D TF
HOTFIXUpdate SIMATIC Drive Controller CPU 1507D TF firmware to version 2.9.7 or later
SIMATIC S7-1500 Software Controller V2
HOTFIXUpdate SIMATIC S7-1500 Software Controller V2 to version 21.9.7 or later
SIMATIC S7-PLCSIM Advanced
HOTFIXUpdate SIMATIC S7-PLCSIM Advanced to version 5.0 or later
SIPLUS TIM 1531 IRC
HOTFIXUpdate TIM 1531 IRC and SIPLUS TIM 1531 IRC firmware to version 2.3.6 or later
All products
HOTFIXUpdate SIMATIC ET 200SP Open Controller CPU 1515SP PC2 firmware to version 21.9.7 or later
HOTFIXUpdate SIMATIC S7-1200 CPU family firmware to version 4.6.0 or later
HOTFIXUpdate SIMATIC S7-1500 CPU family firmware to version 2.9.7 or later (for 1510SP, 1511, 1512SP, 1513, 1516 models)
HOTFIXUpdate SIMATIC S7-1500 CPU 1516T-3, 1516TF-3, 1517, 1518 models firmware to version 3.0.1 or later
Long-term hardening
0/1HARDENINGImplement network segmentation to isolate SIMATIC controllers from untrusted networks and enforce firewall rules to restrict access to port 102 (S7 communication) to authorized engineering stations only
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/20053d29-2220-4306-90e5-24688a9d3193