Denial-of-Service Vulnerability in SIMATIC S7-400 CPUs

Plan Patch7.5SSA-557541Apr 12, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SIMATIC S7-400 CPUs contain an input validation vulnerability (CWE-119) that allows an attacker to send a specially crafted network packet and trigger a denial-of-service condition, causing the CPU to become unresponsive. Normal operation can only be restored by manual restart of the device. Most S7-400 models (DP-only variants) have no fix available. Patches are available for S7-400 H V6, specific S7-400 V7 PN/DP models, S7-410 V8, and S7-410 V10 CPU families.

What this means

What could happen

An attacker can trigger a denial-of-service condition on SIMATIC S7-400 CPUs by sending a specially crafted network packet, causing the PLC to stop responding and halting production until manually restarted.

Who's at risk

Water utilities and municipal electric systems that rely on SIMATIC S7-400 series PLCs for process control (pumping, treatment, distribution, power generation, and switching operations). Any facility using S7-400 CPUs for critical automation is at risk; models without available fixes are the highest concern.

How it could be exploited

An attacker with network access to the S7-400 CPU sends a malformed input packet that bypasses validation checks. This causes the CPU to crash or enter a non-responsive state, interrupting process control until the device is manually restarted.

Prerequisites

Network access to the S7-400 CPU (typically Ethernet port or PROFINET interface)
No authentication required

remotely exploitableno authentication requiredlow complexityhigh CVSS score (7.5)no patch available for most modelsaffects safety-critical systems

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (20)

10 with fix10 pending

ProductAffected VersionsFix Status

SIMATIC S7-400 CPU 412-1 DP V7All versionsNo fix yet

SIMATIC S7-400 CPU 412-2 DP V7All versionsNo fix yet

SIMATIC S7-400 CPU 412-2 PN/DP V7< V7.0.37.0.3

SIMATIC S7-400 CPU 414-2 DP V7All versionsNo fix yet

SIMATIC S7-400 CPU 414-3 DP V7All versionsNo fix yet

Remediation & Mitigation

0/7

Do now

0/1

WORKAROUNDFor S7-400 DP-only models (412-1, 412-2 DP, 414-2, 414-3, 416-2, 416-3, 416F-2, 417-4 DP) and SIPLUS variants without fixes available, implement network-based access controls to restrict unauthorized connections to the CPU Ethernet or PROFINET ports

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

SIMATIC S7-400 CPU 412-2 PN/DP V7

HOTFIXUpdate SIMATIC S7-400 CPU 412-2 PN/DP V7, 414-3 PN/DP V7, 414F-3 PN/DP V7, 416-3 PN/DP V7, and 416F-3 PN/DP V7 to firmware version 7.0.3 or later

All products

HOTFIXUpdate SIMATIC S7-400 H V6 CPUs to firmware version 6.0.10 or later

HOTFIXUpdate SIMATIC S7-410 V8 CPUs to firmware version 8.2.3 or later

HOTFIXUpdate SIMATIC S7-410 V10 CPUs to firmware version 10.1 or later (contact local Siemens support for availability)

Long-term hardening

0/2

HARDENINGSegment S7-400 CPUs from untrusted networks using industrial firewalls or network switches with ACLs; restrict inbound traffic to only necessary engineering workstations and SCADA systems

HARDENINGMonitor process logs and establish automated alerts for unexpected PLC restarts or loss of communications from S7-400 devices

CVEs (1)

CVE-2021-40368

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/79e70d78-d899-4b9e-b403-c787846ec31d