ICS-CERT: SIMATIC S7-400 Denial of Service Vulnerabilities

Tuesday, August 07, 2012

Infosec Island Admin

7fef78c47060974e0b8392e305f0daf0

Siemens has reported to ICS-CERT that denial-of-service (DoS) vulnerabilities exist in the SIMATIC S7-400 V6 and SIMATIC S7-400 V5 PN CPU products. Siemens has produced a firmware update that mitigates the vulnerability affecting the S7-400 V6.

Siemens will not fix the vulnerability that affects the S7-400 V5 because that product version has reached end-of-life and has been discontinued. Both vulnerabilities could be exploited remotely.

Siemens reports that one of the vulnerabilities affects the following products within the S7-400 CPU family with firmware Versions 6.0.1 and 6.0.2:

• CPU 412-2 PN (6ES7412-2EK06-0AB0)
• CPU 414-3 PN/DP (6ES7414-3EM06-0AB0)
• CPU 414F-3 PN/DP (6ES7414-3FM06-0AB0)
• CPU 416-3 PN/DP (6ES7416-3ES06-0AB0)
• CPU 416F-3 PN (6ES7416-3FS06-0AB0)

Another vulnerability affects the following products within the S7-400 CPU family with firmware Version 5:

• CPU 414-3 PN/DP (6ES7414-3EM05-0AB0)
• CPU 416-3 PN/DP (6ES7416-3ER05-0AB0)
• CPU 416F-3 PN/DP (6ES7416-3FR05-0AB0)

IMPACT

When specially crafted packets are received on Ethernet interfaces by the SIMATIC S7-400, the device can default into defect mode. A PLC in defect mode needs to be manually reset to return to normal operation.

Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.

BACKGROUND

Products in the Siemens SIMATIC S7-400 CPU family have been designed for process control in industrial environments such as manufacturing, power generation and distribution, food and beverages, and chemical industries worldwide.

VULNERABILITY OVERVIEW

DENIAL OF SERVICE:  When the Ethernet port on a SIMATIC S7-400 V6 receives a malformed IP packet, the device could go into the defect mode. The SIMATIC S7-400 V6 CPU defect mode locks out the unit so that it is not available for process control. An attacker could use this vulnerability to perform a DoS attack. CVE-2012-3016 has been assigned to this vulnerability. A CVSS v2 base score of 7.8 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:N/I:N/A:C).

DENIAL OF SERVICE:  When the Ethernet port on a SIMATIC S7-400 V5 receives a malformed IP or HTTP packet, the device could go into the defect mode. The SIMATIC S7-400 V5 CPU defect mode locks out the unit so that it is not available for process controls. Attackers may use this vulnerability to perform a denial-of-service attack. CVE-2012-3017 has been assigned to this vulnerability. A CVSS v2 base score of 7.8 has been assigned; the CVSS vector string is (AV:N/AC:L/Au:N/C:N/I:N/A:C).

EXPLOITABILITY:  These vulnerabilities could be exploited remotely.

EXISTENCE OF EXPLOIT:  No known public exploits specifically target these vulnerabilities.

DIFFICULTY:  An attacker with a low skill could exploit these vulnerabilities.

MITIGATION

Siemens has released security advisories that detail the vulnerabilities in the two versions of the SIMATIC S7-400 CPU and the recommended security practices to secure the systems.

Siemens provided firmware update V6.0.3 that closes the vulnerability affecting the S7-400 V6 by fixing the flawed packet processing implementation.

Siemens is not providing a firmware update for SIMATIC S7-400 V5 PN CPUs because this version has reached end-of-life and has been discontinued.

The full ICS-CERT advisory can be found here:

Source:  http://www.us-cert.gov/control_systems/pdf/ICSA-12-212-02.pdf

Possibly Related Articles:
10778
SCADA
Information Security
Denial of Service SCADA Vulnerabilities Exploits Siemens ICS-CERT Industrial Control Systems SIMATIC S7-400
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.

Most Liked