Siemens has reported to ICS-CERT that denial-of-service (DoS) vulnerabilities exist in the SIMATIC S7-400 V6 and SIMATIC S7-400 V5 PN CPU products. Siemens has produced a firmware update that mitigates the vulnerability affecting the S7-400 V6.
Siemens will not fix the vulnerability that affects the S7-400 V5 because that product version has reached end-of-life and has been discontinued. Both vulnerabilities could be exploited remotely.
Siemens reports that one of the vulnerabilities affects the following products within the S7-400 CPU family with firmware Versions 6.0.1 and 6.0.2:
• CPU 412-2 PN (6ES7412-2EK06-0AB0)
• CPU 414-3 PN/DP (6ES7414-3EM06-0AB0)
• CPU 414F-3 PN/DP (6ES7414-3FM06-0AB0)
• CPU 416-3 PN/DP (6ES7416-3ES06-0AB0)
• CPU 416F-3 PN (6ES7416-3FS06-0AB0)
Another vulnerability affects the following products within the S7-400 CPU family with firmware Version 5:
• CPU 414-3 PN/DP (6ES7414-3EM05-0AB0)
• CPU 416-3 PN/DP (6ES7416-3ER05-0AB0)
• CPU 416F-3 PN/DP (6ES7416-3FR05-0AB0)
When specially crafted packets are received on Ethernet interfaces by the SIMATIC S7-400, the device can default into defect mode. A PLC in defect mode needs to be manually reset to return to normal operation.
Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.
Products in the Siemens SIMATIC S7-400 CPU family have been designed for process control in industrial environments such as manufacturing, power generation and distribution, food and beverages, and chemical industries worldwide.
DENIAL OF SERVICE: When the Ethernet port on a SIMATIC S7-400 V6 receives a malformed IP packet, the device could go into the defect mode. The SIMATIC S7-400 V6 CPU defect mode locks out the unit so that it is not available for process control. An attacker could use this vulnerability to perform a DoS attack. CVE-2012-3016 has been assigned to this vulnerability. A CVSS v2 base score of 7.8 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:N/I:N/A:C).
DENIAL OF SERVICE: When the Ethernet port on a SIMATIC S7-400 V5 receives a malformed IP or HTTP packet, the device could go into the defect mode. The SIMATIC S7-400 V5 CPU defect mode locks out the unit so that it is not available for process controls. Attackers may use this vulnerability to perform a denial-of-service attack. CVE-2012-3017 has been assigned to this vulnerability. A CVSS v2 base score of 7.8 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:N/I:N/A:C).
EXPLOITABILITY: These vulnerabilities could be exploited remotely.
EXISTENCE OF EXPLOIT: No known public exploits specifically target these vulnerabilities.
DIFFICULTY: An attacker with a low skill could exploit these vulnerabilities.
Siemens has released security advisories that detail the vulnerabilities in the two versions of the SIMATIC S7-400 CPU and the recommended security practices to secure the systems.
Siemens provided firmware update V6.0.3 that closes the vulnerability affecting the S7-400 V6 by fixing the flawed packet processing implementation.
Siemens is not providing a firmware update for SIMATIC S7-400 V5 PN CPUs because this version has reached end-of-life and has been discontinued.
The full ICS-CERT advisory can be found here: