Full Report
Siemens has announced that some of its industrial solutions are vulnerable to DoS attacks. Vulnerable devices include industrial controllers, field devices and shop floor automation systems.
Analysis Summary
# Vulnerability: Siemens Industrial Solutions Denial-of-Service (DoS)
## CVE Details
- **CVE ID:** CVE-2017-12741
- **CVSS Score:** 7.5 (High)
- **CWE:** CWE-400 (Uncontrolled Resource Consumption)
## Affected Systems
- **Products:** SIMATIC S7-300, SIMATIC S7-400, SIMATIC WinAC RTX, SIMATIC S7-1200, SIMATIC S7-1500, SITOP PSU8600, and several SIMATIC communications processors.
- **Versions:**
- SIMATIC S7-1200: Versions prior to v4.2.1
- SIMATIC S7-1500: Versions prior to v2.1
- SITOP PSU8600: Versions prior to v1.2
- (Note: Various older firmware versions for legacy S7-300/400 modules are also affected).
- **Configurations:** Systems with the integrated PROFINET or Ethernet interface enabled and exposed to the network.
## Vulnerability Description
The vulnerability exists due to improper validation of specially crafted PROFINET packets. An attacker could trigger a Denial-of-Service (DoS) condition by sending malicious packets to the device over the network via port 102/TCP (ISO-TSAP). This causes the device to enter a "Defective" state, requiring a manual hard restart or power cycle to restore functionality.
## Exploitation
- **Status:** PoC available (Publicly documented research)
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** High (Total loss of control/process functionality until manual reset)
## Remediation
### Patches
Siemens has released several firmware updates to address this flaw:
- **SIMATIC S7-1200:** Update to v4.2.1 or later.
- **SIMATIC S7-1500:** Update to v2.1 or later.
- **SITOP PSU8600:** Update to v1.2 or later.
- Users of other affected SIMATIC CP and S7 modules should consult the Siemens ProductCERT portal for specific firmware update availability.
### Workarounds
- **Network Segmentation:** Isolate industrial networks from the office network and the internet.
- **Firewall Filtering:** Block incoming traffic to port 102/TCP from untrusted sources.
- **Defense-in-Depth:** Ensure that only authorized engineering workstations have communication paths to the PLC interfaces.
## Detection
- **Indicators of Compromise:** Unexpected device transitions to "STOP" or "DEFECTIVE" mode; loss of network communication to the PLC.
- **Detection Methods:** Monitor network traffic for unusual volumes of ISO-over-TCP (RFC 1006) traffic or malformed PROFINET packets targeting port 102. Use ICS-aware IDS/IPS signatures specifically looking for CVE-2017-12741 patterns.
## References
- Siemens ProductCERT: hxxps[://]cert-portal[.]siemens[.]com/
- Kaspersky ICS CERT: hxxps[://]ics-cert[.]kaspersky[.]com/publications/
- NIST NVD: hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2017-12741