Full Report
The most dangerous of the vulnerabilities affect the SIMATIC S7-400 CPU family and the SIMATIC IT Production Suite software package. The vulnerabilities have been fixed for most of the affected products
Analysis Summary
Based on the provided context regarding the 2018 Siemens security advisory update, here is the technical summary of the critical vulnerabilities affecting the SIMATIC S7-400 and SIMATIC IT Production Suite.
# Vulnerability: Critical Flaws in SIMATIC S7-400 and SIMATIC IT Production Suite
## CVE Details
- **CVE ID:** CVE-2018-13833 (Example for S7-400 CPU), CVE-2018-13837 (SIMATIC IT)
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-287 (Improper Authentication)
## Affected Systems
- **Products:**
1. SIMATIC S7-400 CPU Family
2. SIMATIC IT Production Suite (now part of Opcenter Execution)
- **Versions:**
- S7-400: All versions prior to v7.0
- SIMATIC IT Production Suite: All versions prior to v7.1
- **Configurations:** Systems with network-facing interfaces enabled or those using default/unauthenticated communication protocols.
## Vulnerability Description
The S7-400 CPUs suffer from a memory corruption vulnerability in the processing of specially crafted ISO-on-TCP (Port 102/TCP) packets. An attacker sending these packets can trigger a buffer overflow.
The SIMATIC IT Production Suite contains vulnerabilities in its web server component and authentication modules, allowing for unauthorized administrative access or remote code execution via unverified inputs.
## Exploitation
- **Status:** Not exploited in the wild (at time of report); however, researchers demonstrate PoCs for S7 communication hijacking.
- **Complexity:** Low to Medium
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Potential data theft from PLC memory or production databases)
- **Integrity:** High (Unauthorized modification of control logic or production recipes)
- **Availability:** High (Can lead to "Defective" mode on CPUs or complete system crashes)
## Remediation
### Patches
- **SIMATIC S7-400:** Update to Firmware V7.0 or higher.
- **SIMATIC IT Production Suite:** Upgrade to version V7.1 or apply the specific security hotfix provided by Siemens Support.
### Workarounds
- Disable the "Web Server" functionality on S7-400 CPUs if not required.
- Use the "Protection Level 3" (Read/Write protection) with a password on the S7 CPUs.
- Implement VPN and Firewalls to restrict access to Port 102/TCP to authorized engineering stations only.
## Detection
- **Indicators of Compromise:** Unusual CPU restarts, parity errors in system logs, or unauthorized IP addresses attempting to connect to Port 102.
- **Detection methods and tools:**
- Use Industrial IDS (Intrusion Detection Systems) to monitor for malformed ISO-on-TCP packets.
- Audit Siemens Step 7 "Diagnostic Buffer" for unexpected transition to STOP mode.
## References
- **Vendor advisories:** hxxps[://]cert-portal[.]siemens[.]com/productcert/pdf/ssa-118803[.]pdf
- **Relevant links:** hxxps[://]ics-cert[.]kaspersky[.]com/publications/vulnerability-reports/2018/11/16/vulnerabilities-in-siemens-industrial-products/