Vulnerabilities in the additional GNU/Linux subsystem of the SIMATIC S7-1500 TM MFP before V1.1

Act Now9.8SSA-794697Jun 13, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities exist in the GNU/Linux subsystem of the SIMATIC S7-1500 TM MFP firmware version V1.0. These include buffer overflows (CWE-119, CWE-120, CWE-121, CWE-122), integer overflows (CWE-190), weak cryptographic implementations (CWE-327, CWE-326, CWE-295), command injection (CWE-78), improper access control (CWE-284, CWE-287, CWE-863), and improper resource handling (CWE-400, CWE-401, CWE-416). The vulnerabilities allow remote execution of arbitrary code without authentication or user interaction.

What this means

What could happen

An attacker with network access to the S7-1500 TM MFP could execute arbitrary code on the device, potentially altering process logic, stopping operations, or gaining access to connected production systems and engineering workstations.

Who's at risk

Water authorities and municipal electric utilities operating SIMATIC S7-1500 TM MFP controllers for master fault protection or turbine management systems are affected. This includes any plant using these programmable logic controllers (PLCs) for critical process automation.

How it could be exploited

The S7-1500 TM MFP's GNU/Linux subsystem is reachable over the network without authentication required. An attacker could exploit multiple vulnerabilities (buffer overflows, integer overflows, command injection, weak cryptography, and access control flaws) to execute arbitrary commands or code on the device's Linux kernel, then potentially pivot to the industrial control functions or attached systems.

Prerequisites

Network access to the S7-1500 TM MFP on its Ethernet interface
Device running firmware version V1.0 or earlier
No prior authentication or valid credentials required

remotely exploitableno authentication requiredlow complexityactively exploited (KEV)high EPSS score (88.5%)affects control systemsmultiple vulnerability types including remote code execution

Exploitability

Actively exploited — confirmed by CISA KEV

Affected products (1)

ProductAffected VersionsFix Status

SIMATIC S7-1500 TM MFP - GNU/Linux subsystem<V1.11.1

Remediation & Mitigation

0/3

Do now

0/3

HOTFIXUpdate SIMATIC S7-1500 TM MFP firmware to version V1.1 or later

HARDENINGIsolate or segment the S7-1500 TM MFP on the network until the patch can be applied, restricting inbound network access to only authorized engineering and monitoring workstations

WORKAROUNDMonitor network traffic to and from the S7-1500 TM MFP for signs of exploitation attempts or unauthorized command execution

CVEs (168)

CVE-2020-12762 CVE-2021-3759 CVE-2021-4037 CVE-2021-33655 CVE-2021-44879 CVE-2022-0171 CVE-2022-1012 CVE-2022-1015 CVE-2022-1184 CVE-2022-1292 CVE-2022-1343 CVE-2022-1434 CVE-2022-1462 CVE-2022-1473 CVE-2022-1679 CVE-2022-1852 CVE-2022-1882 CVE-2022-2068 CVE-2022-2078 CVE-2022-2097 CVE-2022-2153 CVE-2022-2274 CVE-2022-2327 CVE-2022-2503 CVE-2022-2586 CVE-2022-2588 CVE-2022-2602 CVE-2022-2663 CVE-2022-2905 CVE-2022-2959 CVE-2022-2978 CVE-2022-3028 CVE-2022-3104 CVE-2022-3115 CVE-2022-3169 CVE-2022-3303 CVE-2022-3521 CVE-2022-3524 CVE-2022-3534 CVE-2022-3545 CVE-2022-3564 CVE-2022-3565 CVE-2022-3586 CVE-2022-3594 CVE-2022-3606 CVE-2022-3621 CVE-2022-3625 CVE-2022-3628 CVE-2022-3629 CVE-2022-3633 CVE-2022-3635 CVE-2022-3646 CVE-2022-3649 CVE-2022-4095 CVE-2022-4129 CVE-2022-4139 CVE-2022-4269 CVE-2022-4304 CVE-2022-4450 CVE-2022-4662 CVE-2022-20421 CVE-2022-20422 CVE-2022-20566 CVE-2022-20572 CVE-2022-21123 CVE-2022-21125 CVE-2022-21166 CVE-2022-21505 CVE-2022-26373 CVE-2022-32250 CVE-2022-32296 CVE-2022-34918 CVE-2022-36123 CVE-2022-36280 CVE-2022-36879 CVE-2022-36946 CVE-2022-39188 CVE-2022-39190 CVE-2022-40307 CVE-2022-40768 CVE-2022-41218 CVE-2022-41222 CVE-2022-41674 CVE-2022-41849 CVE-2022-41850 CVE-2022-42328 CVE-2022-42329 CVE-2022-42432 CVE-2022-42703 CVE-2022-42719 CVE-2022-42720 CVE-2022-42721 CVE-2022-42722 CVE-2022-42895 CVE-2022-42896 CVE-2022-43750 CVE-2022-47518 CVE-2022-47520 CVE-2022-47929 CVE-2022-47946 CVE-2023-0215 CVE-2023-0286 CVE-2023-0464 CVE-2023-0465 CVE-2023-0466 CVE-2023-0590 CVE-2023-1077 CVE-2023-1095 CVE-2023-1206 CVE-2023-2898 CVE-2023-3141 CVE-2023-3268 CVE-2023-3338 CVE-2023-3389 CVE-2023-3446 CVE-2023-3609 CVE-2023-3610 CVE-2023-3611 CVE-2023-3772 CVE-2023-3773 CVE-2023-3777 CVE-2023-4004 CVE-2023-4015 CVE-2023-4273 CVE-2023-4623 CVE-2023-4911 CVE-2023-4921 CVE-2023-5178 CVE-2023-5197 CVE-2023-5678 CVE-2023-5717 CVE-2023-6606 CVE-2023-6931 CVE-2023-6932 CVE-2023-7008 CVE-2023-7104 CVE-2023-23454 CVE-2023-23455 CVE-2023-23559 CVE-2023-26607 CVE-2023-31085 CVE-2023-31436 CVE-2023-32233 CVE-2023-35001 CVE-2023-35827 CVE-2023-36660 CVE-2023-37453 CVE-2023-39189 CVE-2023-39192 CVE-2023-39193 CVE-2023-39194 CVE-2023-42753 CVE-2023-42754 CVE-2023-42755 CVE-2023-45863 CVE-2023-45871 CVE-2023-48795 CVE-2023-50495 CVE-2023-51384 CVE-2023-51385 CVE-2023-51767 CVE-2024-0232 CVE-2024-0553 CVE-2024-0567 CVE-2024-0584 CVE-2024-0684 CVE-2024-22365 CVE-2024-25062

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7e45a01e-f5bf-4f7f-b963-8eb279bd0c5b