Multiple Denial of Service Vulnerabilities in Industrial Products
Plan Patch7.5SSA-838121Feb 8, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Three denial of service vulnerabilities in Siemens SIMATIC controllers allow unauthenticated remote attackers to crash affected devices by sending specially crafted packets. Affected products include the SIMATIC Drive Controller, S7-1200, S7-1500, ET 200SP Open Controller CPU 1515SP PC2, S7-1500 Software Controller, S7-PLCSIM Advanced, and TIM 1531 IRC. The vulnerabilities stem from improper input validation and resource management (CWE-672, CWE-401). Siemens has released updates for most products. Two product variants (ET 200SP Open Controller CPU 1515SP PC and Ready4Linux) are end-of-life and will not receive fixes.
What this means
What could happen
An attacker with network access to affected Siemens controllers can crash them by sending specially crafted packets, causing the device to stop responding and interrupting production until it is manually restarted. This affects manufacturing plants that rely on these PLCs for continuous operation.
Who's at risk
Manufacturing facilities using Siemens SIMATIC controllers (S7-1200, S7-1500, Drive Controllers, ET 200SP) in production lines, packaging systems, or other continuous processes. Also affects simulation environments using S7-PLCSIM Advanced. The SIMATIC ET 200SP Open Controller CPU 1515SP PC and Ready4Linux variants are end-of-life with no patches available.
How it could be exploited
An attacker sends a specially crafted network packet to the affected controller on port 102 (standard Siemens S7 protocol) or port 502 (Modbus TCP). No authentication or credentials are required. The device stops responding and must be restarted to resume operation.
Prerequisites
- Network access to port 102 (S7 protocol) or port 502 (Modbus TCP)
- No authentication required
- Device running a vulnerable firmware version
Remotely exploitableNo authentication requiredLow complexity attackHigh CVSS score (7.5)Affects production systemsNo patch available for SIMATIC ET 200SP Open Controller CPU 1515SP PC variants
Exploitability
Moderate exploit probability (EPSS 2.0%)
Affected products (16)
14 with fix2 EOL
ProductAffected VersionsFix Status
SIMATIC Drive Controller family≥ V2.9.2< V2.9.42.9.4
SIMATIC Drive Controller family< V2.9.22.9.4
SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants)≥ V21.9< V21.9.421.9.4
SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants)< V21.921.9.4
SIMATIC S7-1200 CPU family (incl. SIPLUS variants)≥ V4.5.0< V4.5.24.5.2
Remediation & Mitigation
0/9
Do now
0/1WORKAROUNDImplement network firewall rules to restrict access to ports 102 and 502 to only authorized engineering workstations and SCADA servers
Schedule — requires maintenance window
0/7Patching may require device reboot — plan for process interruption
SIMATIC Drive Controller family
HOTFIXUpdate SIMATIC Drive Controller family to version 2.9.4 or later
SIMATIC S7-1500 Software Controller
HOTFIXUpdate SIMATIC S7-1500 Software Controller to version 21.9.4 or later
SIMATIC S7-PLCSIM Advanced
HOTFIXUpdate SIMATIC S7-PLCSIM Advanced to version 4.0 SP1 or later
TIM 1531 IRC
HOTFIXUpdate TIM 1531 IRC to version 2.3.6 or later
All products
HOTFIXUpdate SIMATIC ET 200SP Open Controller CPU 1515SP PC2 to version 21.9.4 or later
HOTFIXUpdate SIMATIC S7-1200 CPU family to version 4.5.2 or later
HOTFIXUpdate SIMATIC S7-1500 CPU family to version 2.9.4 or later
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: SIMATIC ET 200SP Open Controller CPU 1515SP PC2 Ready4Linux, SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl. SIPLUS variants). Apply the following compensating controls:
HARDENINGSegment PLC network traffic so controllers are isolated from untrusted network segments
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/56ed9326-69e2-4d75-9103-ecc97535280e