Denial-of-Service Vulnerability in SIMATIC S7-300 CPUs and SINUMERIK Controller

Monitor5.9SSA-492828Nov 10, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

A denial-of-service vulnerability in SIMATIC S7-300 CPUs, SIMATIC TDC CPU555, and SINUMERIK 840D sl controllers allows an attacker to crash the device by sending specially crafted packets to port 102 (the S7 communication protocol port). The affected devices become unresponsive and require manual restart. No vendor patches are available for these products. Siemens recommends protecting network access to these devices with firewalls and network segmentation, and following their Industrial Security operational guidelines.

What this means

What could happen

An attacker can crash the CPU or controller by sending crafted packets to port 102, causing the device to stop responding and interrupting production until the device is rebooted.

Who's at risk

Water authorities and electric utilities operating Siemens automation equipment, specifically organizations using SIMATIC S7-300 PLCs, TDC CPU555 controllers, or SINUMERIK CNC controllers for pump stations, treatment processes, generation control, or machining operations. Any facility where an unexpected controller restart would interrupt critical production.

How it could be exploited

An attacker with network access to port 102 (the Siemens S7 communication protocol port) sends specially crafted packets to the affected CPU or controller. The device processes these packets in a way that exhausts resources or enters an unstable state, becoming unresponsive. No authentication is required.

Prerequisites

Network reachability to port 102 on the affected CPU or controller
No authentication or credentials required

remotely exploitableno authentication requiredno patch availableaffects availability of critical process control

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (3)

3 EOL

ProductAffected VersionsFix Status

SIMATIC S7-300 CPU family (incl. related ET200 CPUs and SIPLUS variants)All versionsNo fix (EOL)

SIMATIC TDC CPU555All versionsNo fix (EOL)

SINUMERIK 840D slAll versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to port 102 (S7 protocol port) using firewall rules, ACLs, or network segmentation. Only allow connections from authorized engineering workstations and SCADA systems.

Mitigations - no patch available

0/3

The following products have reached End of Life with no planned fix: SIMATIC S7-300 CPU family (incl. related ET200 CPUs and SIPLUS variants), SIMATIC TDC CPU555, SINUMERIK 840D sl. Apply the following compensating controls:

HARDENINGIsolate SIMATIC S7-300 CPUs and SINUMERIK controllers on a separate network segment (OT DMZ or control network) that is not directly accessible from the corporate network.

HARDENINGMonitor for unusual connection attempts to port 102 and implement alerting for failed or repeated connection attempts.

HARDENINGFollow Siemens operational guidelines for Industrial Security to harden the control environment. Reference: https://www.siemens.com/cert/operational-guidelines-industrial-security

CVEs (1)

CVE-2020-15783

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/85bd99a6-5843-4800-a378-4f8564144f26