Industrial control systems manufacturer, Siemens, has released new versions of its SIMATIC S7-1200 CPU family, resolving six security vulnerabilities in that product, and its SIMATIC S7-1200 PLC (programmable logic controller), resolving an addition two vulnerabilities there.
These patches are critical enough to have warranted alerts on the Industrial Control Systems Cyber Emergency Response Team’s website.
All six of the bugs in the SIMATIC S7-1200 CPU family are remotely exploitable and affect all product versions prior to V4.0. The vulnerabilities – on out of date systems – could potentially give an attacker the ability to perform denial-of-service attacks by deploying specially crafted HTTP(S), ISO-TSAP, or Profinet network packets. Beyond this, the integrated Web server in this product is also vulnerable to cross-site request forgery and privilege escalation attacks. Each of the attacks is exploitable over the network without authentication.
The SIMATIC S7-1200 PLC systems are vulnerable to a pair of improper input validation vulnerabilities that are also remotely exploitable. Again, a knowledgeable attacker could exploit these bugs to perform a DoS attack.
As is generally the case, the impact of all of the bugs listed is almost entirely dependent on the way each specific system is implemented.
Ralf Spenneberg of OpenSource Training, Lucian Cojocar of EURECOM, Sascha Zinke from FU Berlin’s work team SCADACS, and Positive Technologies’ researchers Alexey Osipov and Alex Timorin discovered the six holes in Siemens’ SIMATIC S7-1200 CPU family. You can read a more detailed description of those bugs here.
Professor Hartmut Pohl the Swedish Defence Research Agency uncovered the flaws in Siemens’ SIMATIC S7-1200 PLC. You can read more about these vulnerabilities here.
SCADA software, ICS equipment, and critical infrastructure systems are perpetually vulnerable. Worse yet, as the maintainers of operating systems get better and better at security, making it more difficult for attackers to write successful exploits, these people will turn to softer targets. So woeful is the state of critical infrastructure security, that some experts are asking if it is time to establish an ICS security specialist certification.