OTPulse
FeedAboutContact

Denial of Service Vulnerability in the OPC UA Implementations of SIMATIC Products

Plan Patch7.5SSA-711309Sep 12, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

The OPC UA implementations (ANSI C and C++) used in SIMATIC products contain a denial of service vulnerability triggered by receipt of a specially crafted certificate. An unauthenticated remote attacker can cause the OPC UA service to crash by sending a malformed certificate, rendering the device unavailable until manual restart. Affected products include S7-1500 series PLCs, ET 200SP modules, Drive Controllers, WinCC SCADA systems, PCS 7 process control, and engineering software. Siemens has released firmware updates for most products but several legacy versions have no fix planned.

What this means
What could happen
An attacker can send a malformed OPC UA certificate to any vulnerable SIMATIC device over the network, causing it to crash and stop responding. This interrupts production until the device is manually restarted.
Who's at risk
Manufacturing facilities and transportation systems using SIMATIC automation products. Specifically affects: S7-1500 series PLCs, ET 200SP distributed I/O modules, SIMATIC Drive Controllers, WinCC HMI/SCADA systems, SIMATIC PCS 7 process control, and engineering workstations running SIMATIC NET PC Software. Any facility relying on these devices for real-time process control (assembly lines, conveyor systems, drive systems, distributed control networks) should be considered impacted.
How it could be exploited
An attacker with network access to a SIMATIC device's OPC UA port (typically 4840) sends a specially crafted certificate during the OPC UA handshake. The vulnerable OPC UA implementation (ANSI C or C++) fails to properly validate the certificate structure and crashes, making the device unavailable. No authentication is required.
Prerequisites
  • Network reachability to the device's OPC UA port (default 4840 or configured alternative)
  • Device must have OPC UA enabled and accessible from attacker's network segment
  • No authentication credentials required
Remotely exploitable over networkNo authentication requiredLow complexity attackHigh impact on availability (device denial of service)Affects multiple critical PLC and SCADA product linesNo patch available for several widely-used products (WinCC V7.4, WinCC Runtime Professional V16-V18, SIMATIC Comfort/Mobile RT, SIMATIC PCS neo V4.0, SIMATIC NET PC V14, SIMATIC IPC DiagMonitor)
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (114)
106 with fix8 pending
ProductAffected VersionsFix Status
SIMATIC BRAUMATAll versions < V8.1 SP18.1 SP1
SIMATIC Cloud Connect 7 CC712 (6GK1411-1AC00)< 2.22.2
SIMATIC Cloud Connect 7 CC716 (6GK1411-5AC00)< 2.22.2
SIMATIC Comfort/Mobile RTAll versionsNo fix yet
SIMATIC Drive Controller CPU 1504D TF< 2.9.72.9.7
Remediation & Mitigation
0/11
Do now
0/2
SIMATIC Comfort/Mobile RT
HARDENINGFor products without vendor fixes (SIMATIC Comfort/Mobile RT, IPC DiagMonitor, NET PC V14, PCS neo, WinCC V7.4, WinCC Runtime Professional V16-V18), implement network segmentation to restrict OPC UA access to trusted engineering workstations only
All products
WORKAROUNDDisable OPC UA service on devices where it is not operationally required
Schedule — requires maintenance window
0/9

Patching may require device reboot — plan for process interruption

SIMATIC WinCC V7.5
HOTFIXUpdate SIMATIC WinCC V7.5 to SP2 Update 20 or later
SIMATIC WinCC V8.0
HOTFIXUpdate SIMATIC WinCC V8.0 to Update 5 or later
SIMATIC NET PC Software V16
HOTFIXUpdate SIMATIC NET PC Software V16 to Update 8 or later, V17 to SP1 Update 1 or later, V18 to Update 1 or later
SIMATIC PCS 7 V9.1
HOTFIXUpdate SIMATIC PCS 7 V9.1 to SP2 UC08 or later
SIMATIC WinCC Runtime Professional V19
HOTFIXUpdate SIMATIC WinCC Runtime Professional V19 to Update 2 or later
SIMATIC S7-PLCSIM Advanced
HOTFIXUpdate SIMATIC S7-PLCSIM Advanced to V5.0 Update 2 or later
All products
HOTFIXUpdate SIMATIC S7-1500, ET 200SP, and Drive Controller devices to firmware version 2.9.7 or later (or 3.0.3 if version 3.x branch)
HOTFIXUpdate SIMATIC WinCC OA to version 3.17 P029, 3.18 P019, or 3.19 P005 depending on current version
HARDENINGRestrict network access to OPC UA ports using firewall rules; only allow connections from authorized engineering and SCADA workstations
View full Siemens ProductCERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/17ff90ee-e956-4370-afc6-94620fb583c2