Denial of Service Vulnerability in SIMATIC S7-200 SMART Devices
Monitor7.5SSA-969738Sep 10, 2024
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A vulnerability in SIMATIC S7-200 SMART CPUs allows a remote attacker to cause a denial of service by sending a specially crafted TCP packet to the device. This causes the PLC to crash or become unresponsive. The vulnerability affects all versions of the following models: SR20, SR30, SR40, SR60, ST20, ST30, ST40, ST60, CR40, and CR60. Siemens has not released a firmware patch and states no fix is available for any of these products. Mitigation requires network-level access controls and segmentation to limit TCP connections to these devices.
What this means
What could happen
An attacker can send a malformed TCP packet to an S7-200 SMART CPU and crash the device, interrupting all automated processes controlled by that PLC until it is manually restarted.
Who's at risk
This affects all versions of Siemens SIMATIC S7-200 SMART CPUs (SR20, SR30, SR40, SR60, ST20, ST30, ST40, ST60, CR40, CR60). Any water authority or utility operating these compact programmable logic controllers for pump control, valve automation, pressure monitoring, or flow regulation should be concerned. The vulnerability is especially critical for facilities running continuous operations that depend on these PLCs staying online.
How it could be exploited
An attacker with network access to the device sends a specially crafted TCP packet. The S7-200 SMART CPU does not properly validate the packet, causing the device to crash or become unresponsive. No authentication is required.
Prerequisites
- Network access to the S7-200 SMART device on its TCP port (typically port 102 for S7 communication)
- No credentials or authentication required
remotely exploitableno authentication requiredlow complexityno patch availableaffects industrial control (not safety-rated but critical to operations)
Exploitability
Low exploit probability (EPSS 0.7%)
Affected products (10)
10 EOL
ProductAffected VersionsFix Status
SIMATIC S7-200 SMART CPU SR40All versionsNo fix (EOL)
SIMATIC S7-200 SMART CPU ST20All versionsNo fix (EOL)
SIMATIC S7-200 SMART CPU CR40All versionsNo fix (EOL)
SIMATIC S7-200 SMART CPU ST60All versionsNo fix (EOL)
SIMATIC S7-200 SMART CPU ST40All versionsNo fix (EOL)
SIMATIC S7-200 SMART CPU SR60All versionsNo fix (EOL)
SIMATIC S7-200 SMART CPU ST30All versionsNo fix (EOL)
SIMATIC S7-200 SMART CPU CR60All versionsNo fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2HARDENINGImplement network segmentation to restrict TCP/IP access to S7-200 SMART CPUs. Only permit connections from authorized engineering workstations and HMI systems.
WORKAROUNDDeploy a firewall or network access control (NAC) rule to block unexpected or unsolicited TCP connections to the affected PLCs.
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: SIMATIC S7-200 SMART CPU SR40, SIMATIC S7-200 SMART CPU ST20, SIMATIC S7-200 SMART CPU CR40, SIMATIC S7-200 SMART CPU ST60, SIMATIC S7-200 SMART CPU ST40, SIMATIC S7-200 SMART CPU SR60, SIMATIC S7-200 SMART CPU ST30, SIMATIC S7-200 SMART CPU CR60, SIMATIC S7-200 SMART CPU SR20, SIMATIC S7-200 SMART CPU SR30. Apply the following compensating controls:
HARDENINGMonitor network traffic to and from S7-200 SMART devices for unusual or malformed TCP packets.
HARDENINGReview and follow Siemens operational guidelines for Industrial Security to establish a secure baseline for your automation environment.
CVEs (1)
โโ Navigate ยท Esc Close
API:
/api/v1/advisories/0377742b-db8a-4d2c-9471-82cd85a00f17