Full Report
Affected SIMATIC firmware contains multiple vulnerabilities that could allow an unauthenticated attacker to perform a denial of service attack under certain conditions. Siemens has released updates for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Multiple Denial of Service in Siemens SIMATIC Industrial Products
## CVE Details
- **CVE ID:** CVE-2021-44693, CVE-2021-44694, CVE-2021-44695
- **CVSS Score:** 7.5 (High) - *Primary Score for CVE-2021-44693*
- **CWE:**
- CWE-1284: Improper Validation of Specified Quantity in Input
- CWE-1287: Improper Validation of Specified Type of Input
- CWE-1286: Improper Validation of Syntactic Correctness of Input
## Affected Systems
- **Products:**
- SIMATIC S7-1200 CPU family (including SIPLUS variants)
- SIMATIC S7-1500 CPU family (including F, C, PN, and SIPLUS variants)
- SIMATIC Drive Controller (CPU 1504D TF, 1507D TF)
- SIMATIC ET 200SP Open Controller CPU 1515SP PC2
- SIMATIC S7-1500 Software Controller
- TIM 1531 IRC (including SIPLUS variants)
- **Versions:**
- S7-1200: All versions < V4.6.0
- S7-1500 (Physical): All versions < V2.9.7 or < V3.0.3 (depending on hardware generation)
- Drive Controller: All versions < V2.9.7
- ET 200SP Open Controller: All versions < V21.9.7
- TIM 1531 IRC: All versions < V2.3.6
- **Configurations:** Vulnerability is triggered via the communication interface handling port 102/tcp.
## Vulnerability Description
The affected firmware fails to correctly process specially crafted packets sent to **port 102/tcp**. Specifically:
- **CVE-2021-44693:** Fails to validate the quantity of input, leading to a DoS.
- **CVE-2021-44694:** Fails to validate the input type.
- **CVE-2021-44695:** Fails to validate the syntactic correctness of the input.
In all cases, an attacker sending these malformed packets can cause the device to enter a defect state, resulting in a Denial of Service.
## Exploitation
- **Status:** PoC available (indicated by CVSS "Exploit Code Maturity: Proof-of-Concept")
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** None
- **Integrity:** None / Low (CVE-2021-44694 lists Low Integrity)
- **Availability:** High (Device enters defect state requiring manual intervention/reboot)
## Remediation
### Patches
- **S7-1200:** Update to V4.6.0 or later.
- **S7-1500 (V2 firmware):** Update to V2.9.7 or later.
- **S7-1500 (V3 firmware):** Update to V3.0.3 or later.
- **Drive Controller:** Update to V2.9.7 or later.
- **ET 200SP Open Controller:** Update to V21.9.7 or later.
- **TIM 1531 IRC:** Update to V2.3.6 or later.
### Workarounds
- **Network Segmentation:** Minimize network exposure for all control system devices and ensure they are not accessible from the Internet.
- **Firewall Filtering:** Restrict access to port 102/tcp only to authorized engineering stations or HMI/SCADA systems.
- **Defense in Depth:** Deploy devices behind firewalls and isolate them from the office network.
## Detection
- **Indicators of Compromise:** Unexpected device reboots or CPUs entering "Defect" or "Stop" modes.
- **Detection methods and tools:** Monitor network traffic for anomalous or malformed Siemens S7comm/S7comm-plus packets targeting port 102/tcp. Use industrial-aware IDS/IPS signatures specifically looking for malformed ISO-on-TCP headers.
## References
- **Vendor Advisory:** [https://cert-portal.siemens.com/productcert/pdf/ssa-382653.pdf](https://cert-portal.siemens.com/productcert/pdf/ssa-382653.pdf)
- **Siemens ProductCERT:** [https://www.siemens.com/cert/advisories](https://www.siemens.com/cert/advisories)
- **Support Links:**
- [https://support.industry.siemens.com/cs/ww/en/view/109814248/](https://support.industry.siemens.com/cs/ww/en/view/109814248/)
- [https://support.industry.siemens.com/cs/ww/en/view/109478459/](https://support.industry.siemens.com/cs/ww/en/view/109478459/)