Siemens Patches DoS Vulnerability in SIMATIC S7 PLC

Author: Chris Brook
minute read
openssl heartbleed scada

Siemens released an update for its SIMATIC S7-1500 CPU last week, patching a denial of service vulnerability in the programmable logic controller.

Siemens released an update for one of its automation systems late last week, patching a denial of service vulnerability in all versions of its SIMATIC S7-1500 CPU prior to V1.6.

An advisory on the Industrial Control Systems Cyber Emergency Response Team’s (ICS-CERT) website warned about the vulnerability last Thursday.

The vulnerability was dug up by Arnaud Ebalard, a security researcher with National Security Agency Information Systems (ANSSI) and formerly of the European Aeronautic Defence and Space Company (EADS). In the last few years Ebalard has dug up multiple bugs relating to the way IPv6 handles routing, including vulnerabilities in Mac OSX and the Linux Kernel.

For the S7-1500 vulnerability however, if left unpatched, an attacker could send a specifically ordered series of specially crafted TCP packets to remotely exploit the vulnerability. This would trigger the CPU to automatically restart and remain in the ‘STOP’ mode. In ‘STOP’ mode the CPU wouldn’t be able to execute the PLC scan repeatedly, as its intended to do. At that point a user would have to manually put it into ‘RUN’ mode to recover operations.

S7-1500 V1.6 apparently fixes this problem and can be downloaded by end users at the company’s website.

Siemens has several versions of its SIMATIC product but according to the company’s security monitoring service, ProductCERT, the S7-1500 family is used primarily in the manufacturing, food and beverage, and chemical industries.

Meanwhile, the German company confirmed last week that its still in the process of patching leftover Heartbleed bugs in its OpenSSL cryptographic software library. Siemens patched the bugs in APE and WinCC OA in July and the bugs in S7-1500 last week.

Vulnerabilities in the remaining products, ROX 1, ROX 2, and CP1543-1, can still lead to man-in-the-middle (MitM) attacks, ICS-CERT warned, however.

Until those products are patched the company is encouraging end users to apply one of its mitigation recommendations, including disabling the product or using its VPN functionality to tunnel FTPS/SMTP.

Suggested articles

Cybersecurity for your growing business
Cybersecurity for your growing business

Topics

Show all

Authors

Threatpost

InfoSec Insider

Infosec Insider Post

Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Content

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.