Siemens released an update for one of its automation systems late last week, patching a denial of service vulnerability in all versions of its SIMATIC S7-1500 CPU prior to V1.6.
An advisory on the Industrial Control Systems Cyber Emergency Response Team’s (ICS-CERT) website warned about the vulnerability last Thursday.
The vulnerability was dug up by Arnaud Ebalard, a security researcher with National Security Agency Information Systems (ANSSI) and formerly of the European Aeronautic Defence and Space Company (EADS). In the last few years Ebalard has dug up multiple bugs relating to the way IPv6 handles routing, including vulnerabilities in Mac OSX and the Linux Kernel.
For the S7-1500 vulnerability however, if left unpatched, an attacker could send a specifically ordered series of specially crafted TCP packets to remotely exploit the vulnerability. This would trigger the CPU to automatically restart and remain in the ‘STOP’ mode. In ‘STOP’ mode the CPU wouldn’t be able to execute the PLC scan repeatedly, as its intended to do. At that point a user would have to manually put it into ‘RUN’ mode to recover operations.
S7-1500 V1.6 apparently fixes this problem and can be downloaded by end users at the company’s website.
Siemens has several versions of its SIMATIC product but according to the company’s security monitoring service, ProductCERT, the S7-1500 family is used primarily in the manufacturing, food and beverage, and chemical industries.
Meanwhile, the German company confirmed last week that its still in the process of patching leftover Heartbleed bugs in its OpenSSL cryptographic software library. Siemens patched the bugs in APE and WinCC OA in July and the bugs in S7-1500 last week.
Vulnerabilities in the remaining products, ROX 1, ROX 2, and CP1543-1, can still lead to man-in-the-middle (MitM) attacks, ICS-CERT warned, however.
Until those products are patched the company is encouraging end users to apply one of its mitigation recommendations, including disabling the product or using its VPN functionality to tunnel FTPS/SMTP.