Siemens Security Advisory by Siemens ProductCERT SSA

Siemens Security Advisory by Siemens ProductCERT
SSA-724606:
Denial-of-Service Vulnerabilities in SIMATIC S7-1200 PLCs
Publication Date
Last Update
Current Version
CVSS Overall Score
2012-12-20
2014-03-20
V1.2
6.1
Summary:
Siemens SIMATIC S7-1200 PLCs, version 2 and higher, allow device management over TCP
port 102 (ISO-TSAP) and retrieving status information over UDP port 161 (SNMP). It is
possible to cause the device to go into defect mode by sending specially crafted packets to
these ports.
Siemens addresses these issues with the newest product release.
AFFECTED PRODUCTS
SIMATIC S7-1200 CPU family: all versions < V4.0.0
DESCRIPTION
Products in the Siemens SIMATIC S7-1200 PLC family have been designed for discrete and
continuous control in industrial environments such as manufacturing, food and beverages,
and chemical industries worldwide.
When specially crafted packets are received on the devices’ Ethernet network interfaces, the
device may go into the stop/defect state. The device needs to be manually reset to continue
with normal operation. Attackers could use these vulnerabilities to perform a Denial-of-Service
attack.
Detailed information about the vulnerabilities is provided below.
VULNERABILITY CLASSIFICATION
The vulnerability classification has been performed by using the CVSSv2 scoring system
(http://www.first.org/cvss/). The CVSS environmental score is specific to the customer's
environment and will impact the overall CVSS score. The environmental score should
therefore be individually defined by the customer to accomplish final scoring.
Vulnerability 1 (CVE-2013-2780)
Specially crafted packets sent on port 161/udp (SNMP) cause the device to go into
defect mode.
CVSS Base Score
CVSS Temporal Score
CVSS Overall Score
7.8
6.1
6.1 (AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C)
Vulnerability 2 (CVE-2013-0700)
Specially crafted packets sent on port 102/tcp (ISO-TSAP) cause the device to go into
defect mode. Further research has identified multiple instances of this vulnerability.
CVSS Base Score
CVSS Temporal Score
CVSS Overall Score
7.8
6.1
6.1 (AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C)
Mitigating factors:
The attacker must have network access to the affected devices.
Limiting the access to ports 161/udp and port 102/tcp reduces the risk of successful
exploitation.
SSA-724606
© Siemens AG 2014
Page 1 of 2
Siemens Security Advisory by Siemens ProductCERT
Siemens recommends operating the devices only within trusted networks [2].
SOLUTION
Siemens provides the SIMATIC S7-1200 CPU product release V4.0.0 [1] which fixes these
vulnerabilities.
The affected software components are implemented under the assumption of running in a
protected network environment. Siemens strongly recommends to protect systems according
to recommended security practices in [4] and to configure the environment according to
operational guidelines [2].
ACKNOWLEDGEMENT
Siemens thanks the following researchers for informing us about the vulnerabilities in a
coordinated manner:
Vulnerability 1: Prof. Dr. Hartmut Pohl, softScheck GmbH
Vulnerability 2: Arne Vidström, Swedish Defence Research Agency (FOI)
ADDITIONAL RESOURCES
[1] Siemens product release V4.0 firmware requires the use of S7-1200 V4.0 CPU
hardware. Further details on the S7-1200 V4.0 release can be found here:
http://support.automation.siemens.com/WW/view/en/86567043
[2] An overview of the operational guidelines for Industrial Security (with the cell protection
concept):
http://www.industry.siemens.com/topics/global/en/industrialsecurity/Documents/operational_guidelines_industrial_security_en.pdf
[3] Information about Industrial Security by Siemens:
http://www.siemens.com/industrialsecurity
[4] Recommended security practices by US-CERT:
http://ics-cert.us-cert.gov/content/recommended-practices
[5] For further inquiries on vulnerabilities in Siemens products and solutions, please
contact the Siemens ProductCERT:
http://www.siemens.com/cert/advisories
HISTORY DATA
V1.0 (2012-12-20):
V1.1 (2013-02-13):
V1.2 (2014-03-20):
Publication Date
Closer analyses by Arne Vidström showed different ways to exploit
vulnerability #2.
Added information about PLC version V4.
DISCLAIMER
See: http://www.siemens.com/terms_of_use
SSA-724606
© Siemens AG 2014
Page 2 of 2