Siemens Security Advisory by Siemens ProductCERT SSA-724606: Denial-of-Service Vulnerabilities in SIMATIC S7-1200 PLCs Publication Date Last Update Current Version CVSS Overall Score 2012-12-20 2014-03-20 V1.2 6.1 Summary: Siemens SIMATIC S7-1200 PLCs, version 2 and higher, allow device management over TCP port 102 (ISO-TSAP) and retrieving status information over UDP port 161 (SNMP). It is possible to cause the device to go into defect mode by sending specially crafted packets to these ports. Siemens addresses these issues with the newest product release. AFFECTED PRODUCTS SIMATIC S7-1200 CPU family: all versions < V4.0.0 DESCRIPTION Products in the Siemens SIMATIC S7-1200 PLC family have been designed for discrete and continuous control in industrial environments such as manufacturing, food and beverages, and chemical industries worldwide. When specially crafted packets are received on the devices’ Ethernet network interfaces, the device may go into the stop/defect state. The device needs to be manually reset to continue with normal operation. Attackers could use these vulnerabilities to perform a Denial-of-Service attack. Detailed information about the vulnerabilities is provided below. VULNERABILITY CLASSIFICATION The vulnerability classification has been performed by using the CVSSv2 scoring system (http://www.first.org/cvss/). The CVSS environmental score is specific to the customer's environment and will impact the overall CVSS score. The environmental score should therefore be individually defined by the customer to accomplish final scoring. Vulnerability 1 (CVE-2013-2780) Specially crafted packets sent on port 161/udp (SNMP) cause the device to go into defect mode. CVSS Base Score CVSS Temporal Score CVSS Overall Score 7.8 6.1 6.1 (AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C) Vulnerability 2 (CVE-2013-0700) Specially crafted packets sent on port 102/tcp (ISO-TSAP) cause the device to go into defect mode. Further research has identified multiple instances of this vulnerability. CVSS Base Score CVSS Temporal Score CVSS Overall Score 7.8 6.1 6.1 (AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C) Mitigating factors: The attacker must have network access to the affected devices. Limiting the access to ports 161/udp and port 102/tcp reduces the risk of successful exploitation. SSA-724606 © Siemens AG 2014 Page 1 of 2 Siemens Security Advisory by Siemens ProductCERT Siemens recommends operating the devices only within trusted networks [2]. SOLUTION Siemens provides the SIMATIC S7-1200 CPU product release V4.0.0 [1] which fixes these vulnerabilities. The affected software components are implemented under the assumption of running in a protected network environment. Siemens strongly recommends to protect systems according to recommended security practices in [4] and to configure the environment according to operational guidelines [2]. ACKNOWLEDGEMENT Siemens thanks the following researchers for informing us about the vulnerabilities in a coordinated manner: Vulnerability 1: Prof. Dr. Hartmut Pohl, softScheck GmbH Vulnerability 2: Arne Vidström, Swedish Defence Research Agency (FOI) ADDITIONAL RESOURCES [1] Siemens product release V4.0 firmware requires the use of S7-1200 V4.0 CPU hardware. Further details on the S7-1200 V4.0 release can be found here: http://support.automation.siemens.com/WW/view/en/86567043 [2] An overview of the operational guidelines for Industrial Security (with the cell protection concept): http://www.industry.siemens.com/topics/global/en/industrialsecurity/Documents/operational_guidelines_industrial_security_en.pdf [3] Information about Industrial Security by Siemens: http://www.siemens.com/industrialsecurity [4] Recommended security practices by US-CERT: http://ics-cert.us-cert.gov/content/recommended-practices [5] For further inquiries on vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: http://www.siemens.com/cert/advisories HISTORY DATA V1.0 (2012-12-20): V1.1 (2013-02-13): V1.2 (2014-03-20): Publication Date Closer analyses by Arne Vidström showed different ways to exploit vulnerability #2. Added information about PLC version V4. DISCLAIMER See: http://www.siemens.com/terms_of_use SSA-724606 © Siemens AG 2014 Page 2 of 2