Siemens Security Advisory by Siemens ProductCERT SSA-310688: Denial-of-Service Vulnerability in SIMATIC S7-1500 CPU Publication Date Last Update Current Version CVSS Overall Score 2014-08-14 2014-08-14 V1.0 5.6 Summary: The latest firmware update for the SIMATIC S7-1500 CPU family fixes a vulnerability which could allow an attacker to perform a Denial-of-Service attack under certain conditions. The attacker must have network access to the device to exploit this vulnerability. AFFECTED PRODUCTS SIMATIC S7-1500 CPU family: All versions < V1.6 DESCRIPTION Products in the Siemens SIMATIC S7-1500 PLC family have been designed for discrete and continuous control in industrial environments such as manufacturing, food and beverages, and chemical industries worldwide. One vulnerability has been fixed in firmware version V1.6. Detailed information about the vulnerability is provided below. VULNERABILITY CLASSIFICATION The vulnerability classification has been performed by using the CVSSv2 scoring system (http://www.first.org/cvss/). The CVSS environmental score is specific to the customer's environment and will impact the overall CVSS score. The environmental score should therefore be individually defined by the customer to accomplish final scoring. Vulnerability Description (CVE-2014-5074) Specially crafted TCP packets could cause a Denial-of-Service of the device if sent in a specific order. The CPU will automatically restart and remain in STOP mode. The CPU needs to be manually put into RUN mode again. CVSS Base Score CVSS Temporal Score CVSS Overall Score 7.1 5.6 5.6 (AV:N/AC:M/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C) Mitigating factors: The attacker must have network access to the affected device. Siemens recommends operating the devices only within trusted networks [2]. SOLUTION Siemens has released SIMATIC S7-1500 firmware version V1.6 [1] which fixes the vulnerability. As a general security measure Siemens strongly recommends to protect network access to S7-1500 CPUs with appropriate mechanisms. It is advised to follow recommended security practices [4] and to configure the environment according to operational guidelines [2] in order to run the devices in a protected IT environment. SSA-310688 © Siemens AG 2014 Page 1 of 2 Siemens Security Advisory by Siemens ProductCERT ACKNOWLEDGEMENT Siemens thanks the following for their support and efforts: Arnaud Ebalard from Agence Nationale de la Sécurité des Systèmes d’Information (ANSSI) for coordinated disclosure ADDITIONAL RESOURCES [1] The firmware update for S7-1500 V1.6 can be obtained here: http://support.automation.siemens.com/WW/view/en/98164677 [2] An overview of the operational guidelines for Industrial Security (with the cell protection concept): http://www.industry.siemens.com/topics/global/en/industrialsecurity/Documents/operational_guidelines_industrial_security_en.pdf [3] Information about Industrial Security by Siemens: http://www.siemens.com/industrialsecurity [4] Recommended security practices by ICS-CERT: http://ics-cert.us-cert.gov/content/recommended-practices [5] For further inquiries on vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: http://www.siemens.com/cert/advisories HISTORY DATA V1.0 (2014-08-14): Publication Date DISCLAIMER See: http://www.siemens.com/terms_of_use SSA-310688 © Siemens AG 2014 Page 2 of 2