Full Report
A vulnerability in SIMATIC S7-200 SMART devices could allow an attacker to cause a denial of service condition if a specially crafted TCP packet is sent to the device. Siemens recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Denial of Service in SIMATIC S7-200 SMART Devices via Crafted TCP Packets
## CVE Details
- **CVE ID:** CVE-2024-43647
- **CVSS Score:** 7.5 (CVSS v3.1) / 8.7 (CVSS v4.0) (High)
- **CWE:** CWE-400: Uncontrolled Resource Consumption
## Affected Systems
- **Products:** SIMATIC S7-200 SMART CPU family, including specific models:
- CR40 (6ES7288-1CR40-0AA0)
- CR60 (6ES7288-1CR60-0AA0)
- SR20 (6ES7288-1SR20-0AA0, 6ES7288-1SR20-0AA1)
- SR30 (6ES7288-1SR30-0AA0, 6ES7288-1SR30-0AA1)
- SR40 (6ES7288-1SR40-0AA0, 6ES7288-1SR40-0AA1)
- SR60 (6ES7288-1SR60-0AA0, 6ES7288-1SR60-0AA1)
- ST20 (6ES7288-1ST20-0AA0)
- **Versions:** All listed versions are affected.
- **Configurations:** No specific configuration is detailed, vulnerability triggered by network interaction.
## Vulnerability Description
The affected SIMATIC S7-200 SMART devices do not properly handle TCP packets that have an incorrect or malformed structure. An unauthenticated remote attacker can exploit this by sending such a specially crafted TCP packet to the device, leading to a Denial of Service (DoS) condition.
## Exploitation
- **Status:** The advisory indicates an exploit maturity rating of 'P' (Proof-of-Concept code or attack knowledge exists, often seen as PoC available).
- **Complexity:** Low (CVSS vector suggests `AC:L` - Attack Complexity Low, `PR:N` - Privileges Required Low, `UI:N` - User Interaction None).
- **Attack Vector:** Network (AV:N).
## Impact
- **Confidentiality:** No Impact (C:N)
- **Integrity:** No Impact (I:N)
- **Availability:** High Impact (A:H) - Denial of Service condition achieved.
## Remediation
### Patches
- **Status:** Currently, no fix or patch is planned or available for the affected products.
### Workarounds
The following countermeasures are recommended until a fix becomes available:
1. Adhere to the operational guidelines for Industrial Security provided by Siemens.
2. Follow the specific recommendations detailed in the product manuals.
3. Implement general best practices from the Siemens Industrial Security guidance.
4. **Recovery:** To restore normal operations after an attack, the network cable of the affected device must be unplugged and then re-plugged.
## Detection
- **Indicators of Compromise:** Attempted connections or packets arriving on the device's network interface that deviate from expected, correctly structured TCP traffic.
- **Detection Methods and Tools:** Monitoring network traffic directed towards the S7-200 SMART controller for unusual or malformed packet structures (TCP header anomalies).
## References
- Siemens Security Advisory SSA-969738
- Siemens ProductCERT Advisories: hXXps://www.siemens.com/cert/advisories
- Siemens Operational Guidelines for Industrial Security (link provided in source)
- Siemens Global Website Terms of Use (link provided in source)