Information Disclosure Vulnerability in SIMATIC S7-200 SMART Devices
Plan Patch8.2SSA-481506Jun 11, 2024
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
SIMATIC S7-200 SMART CPUs (CR40, CR60, SR20, SR30, SR40, SR60, ST20, ST30, ST40, ST60) contain an information disclosure vulnerability that allows attackers to predict IP ID sequence numbers. This predictable sequence can be leveraged to mount denial-of-service attacks or information gathering attacks against the PLC. No vendor fix is available for any affected model.
What this means
What could happen
An attacker with network access to the PLC could learn information about network traffic patterns and eventually launch a denial-of-service attack that stops the controller from communicating with other devices on your network, disrupting plant operations.
Who's at risk
Water authorities, municipal utilities, and any industrial facility using SIMATIC S7-200 SMART series PLCs for process control should be concerned. The CR, SR, and ST series are commonly used in small to medium automation tasks across pump stations, water treatment processes, and distribution system controls.
How it could be exploited
An attacker on the network sends specially crafted packets to the PLC to observe its IP ID generation pattern. Once the attacker predicts the sequence, they can inject forged packets that appear to come from trusted devices, allowing them to inject commands or disrupt communications. This could lead to service unavailability on the PLC itself.
Prerequisites
- Network connectivity to the PLC (direct or through network path)
- No authentication required to observe or craft IP packets
- Ability to send and receive packets to/from the PLC's network interface
remotely exploitableno authentication requiredno patch availablepredictable network behavior
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (10)
10 EOL
ProductAffected VersionsFix Status
SIMATIC S7-200 SMART CPU CR60All versionsNo fix (EOL)
SIMATIC S7-200 SMART CPU SR20All versionsNo fix (EOL)
SIMATIC S7-200 SMART CPU SR30All versionsNo fix (EOL)
SIMATIC S7-200 SMART CPU SR40All versionsNo fix (EOL)
SIMATIC S7-200 SMART CPU SR60All versionsNo fix (EOL)
SIMATIC S7-200 SMART CPU ST20All versionsNo fix (EOL)
SIMATIC S7-200 SMART CPU ST40All versionsNo fix (EOL)
SIMATIC S7-200 SMART CPU ST60All versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/1WORKAROUNDRestrict network access to the SIMATIC S7-200 SMART CPU using firewall rules—allow only authorized engineering workstations and supervisory systems to communicate with the PLC
Mitigations - no patch available
0/4The following products have reached End of Life with no planned fix: SIMATIC S7-200 SMART CPU CR60, SIMATIC S7-200 SMART CPU SR20, SIMATIC S7-200 SMART CPU SR30, SIMATIC S7-200 SMART CPU SR40, SIMATIC S7-200 SMART CPU SR60, SIMATIC S7-200 SMART CPU ST20, SIMATIC S7-200 SMART CPU ST40, SIMATIC S7-200 SMART CPU ST60, SIMATIC S7-200 SMART CPU CR40, SIMATIC S7-200 SMART CPU ST30. Apply the following compensating controls:
HARDENINGIsolate the PLC on a separate control network segment, not directly connected to corporate IT or the internet
HARDENINGConfigure network access controls (ACLs) to block unauthorized inbound traffic to the PLC's network interface
HARDENINGReview and implement Siemens Operational Guidelines for Industrial Security to establish a baseline secure configuration for your automation environment
HARDENINGMonitor network traffic to the PLC for unusual packet patterns or communication attempts
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/fcf0f179-a25f-4aa1-9d24-a96c5525b7b5