Denial of Service Vulnerability in Webserver of Industrial Products
Plan Patch7.5SSA-480230Apr 9, 2019
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A denial of service vulnerability exists in the webserver component integrated into many Siemens industrial products. An unauthorized attacker with network access to the webserver can send specially crafted requests that trigger a memory read defect (CWE-125), causing the device to become unresponsive or crash. Affected products include S7-300, S7-400, and S7-1500 PLCs; WinAC soft controllers; WinCC and HMI panels; SINAMICS motor drives and soft starters; ET 200 distributed I/O modules; communication modules; power supplies; RFID readers; and teleservice adapters. Siemens has released firmware updates for many affected products but has stated that no fix is available for several older-generation devices including S7-400 V6 and below, SINAMICS S120/S150 V4.6 through V4.7 SP1, SINAMICS G130/G150 V4.6 through V4.7 SP1, and various communication and power supply modules.
What this means
What could happen
An attacker on the network could send crafted requests to the webserver component built into these controllers, PLCs, and drives, causing them to become unresponsive and stop processing legitimate commands until rebooted. This could halt production lines, stop motor drives, or disrupt data collection from field devices.
Who's at risk
Manufacturing sites using Siemens industrial controllers and drives are affected, including: PLCs (S7-300, S7-400, S7-1500 families), soft controllers (WinAC RTX), HMI panels (WinCC Runtime, Comfort Panels, KTP Mobile), motor drives and soft starters (SINAMICS G130, G150, S120, S150, S210), I/O modules (ET 200S, ET 200pro, ET 200SP), communication modules (CP 443, CP 343, TIM 1531), power supplies (SITOP), RFID readers, and teleservice adapters. Any site with these devices reachable from the network is potentially vulnerable.
How it could be exploited
An attacker with network access to the webserver port (typically 80 or 443) on any affected Siemens device sends specially crafted HTTP requests that trigger a buffer over-read or similar memory defect in the webserver code. The device crashes or hangs, stopping all process control until manually restarted.
Prerequisites
- Network access to the device's webserver port (typically 80 or 443)
- No authentication required
- Device must have webserver enabled (default on most models)
Remotely exploitable over the networkNo authentication requiredLow attack complexityAffects multiple critical control system typesMany products have no patch availableAffects production availability
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (85)
61 with fix24 pending
ProductAffected VersionsFix Status
SIMATIC S7-300 CPU 317F-2 PN/DP< V3.2.163.2.16
SIMATIC S7-300 CPU 317T-3 PN/DP< V3.2.163.2.16
SIMATIC S7-300 CPU 317TF-3 PN/DP< V3.2.163.2.16
SIMATIC S7-300 CPU 319-3 PN/DP< V3.2.163.2.16
SIMATIC S7-300 CPU 319F-3 PN/DP< V3.2.163.2.16
Remediation & Mitigation
0/15
Do now
0/2WORKAROUNDFor SIMATIC S7-400 PN/DP, SINAMICS S120/S150 V4.6, V4.7, V4.7 SP1, SINAMICS G130/G150 V4.6, V4.7, V4.7 SP1, SIMATIC Teleservice Adapter IE variants, CP 1604, CP 1616, CP 343-1 Advanced, CP 443-1 OPC UA, RF182C, and RFID 181EIP where no fix is available: implement network segmentation to restrict access to the webserver port to authorized engineering and management stations only.
WORKAROUNDDisable the webserver on affected devices if it is not needed for plant operations or remote monitoring, using the device's engineering tools or configuration interface.
Schedule — requires maintenance window
0/11Patching may require device reboot — plan for process interruption
SIMATIC WinAC RTX 2010
HOTFIXUpdate SIMATIC WinAC RTX 2010 and RTX F 2010 to version 2010 SP3.
SIMATIC WinCC Runtime Advanced
HOTFIXUpdate SIMATIC WinCC Runtime Advanced and HMI Comfort/KTP panels to version 15.1 Upd4.
SIMATIC CP 443-1
HOTFIXUpdate SIMATIC CP 443-1 and CP 443-1 Advanced to version 3.3.
SINAMICS S210
HOTFIXUpdate SINAMICS S210 to version 5.1 SP1 HF8.
SIMATIC IPC DiagMonitor
HOTFIXUpdate SIMATIC IPC DiagMonitor to version 5.1.3.
SITOP Manager
HOTFIXUpdate SITOP Manager, SITOP PSU8600, SITOP UPS1600, and TIM 1531 IRC to version 1.1, 1.5, 2.3, and 2.1 respectively.
All products
HOTFIXUpdate SIMATIC S7-300 CPU 314C-2, CPU 315-2, CPU 315F-2, CPU 315T-3, CPU 317-2, CPU 317F-2, CPU 317T-3, CPU 317TF-3, CPU 319-3, CPU 319F-3, and related ET 200S/ET 200pro models to firmware version 3.2.16 or 3.3.16 as applicable.
HOTFIXUpdate SIMATIC S7-1500 CPU family, ET 200SP Open Controller CPU 1515SP PC, and related models to firmware version 2.6.1 or 2.7 as applicable.
HOTFIXUpdate SINAMICS G130, G150, and S120/S150 drives to version 4.8 HF6 or 5.1 SP1 HF4 as applicable.
HOTFIXUpdate SIMOCODE pro V Ethernet/IP and PROFINET variants to version 1.1.3 and 2.1.3 respectively.
HOTFIXUpdate SIMATIC RF185C, RF186C, RF188C, and RF600R RFID readers to version 1.1.0 or 3.2.1 as applicable.
Long-term hardening
0/2HARDENINGImplement firewall rules at the plant network perimeter to block unauthorized access to webserver ports (80, 443) on all industrial devices, restricting inbound access to known engineering workstations and monitoring systems only.
HARDENINGSegment OT networks to separate production control devices from general IT networks and restrict east-west traffic between OT zones using firewalls or managed switches.
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/012f649f-4bda-4063-a723-d057d34f7af1