Siemens Simatic S7-1500 PLC Found to Be Vulnerable to DoS Attacks
- Positive Technologies SCADA security researchers discovered two “high” severity vulnerabilities in Siemens Simatic S7-1500 PLC.
- Siemens released a firmware update to address them, but older units will have to follow a different approach.
- Both vulnerabilities can potentially lead to a DoS condition by sending specially crafted packs through two ports.
Siemens has published the results of a security audit conducted by Positive Technologies on their Simatic S7-1500 PLC solution, with the most critical findings being two severe vulnerabilities (CVE-2018-16558 and CVE-2018-16559) that could be exploited in DoS (Denial of Service) attack scenarios. Considering the crucial role that PLCs (programmable logic controllers) play in industrial environments, a disruption in their operation could be translated to enormous financial losses. Siemens has already released the firmware update to address the findings, and everyone is recommended to update to version 2.5 or later. Those who own earlier units that can’t upgrade to the most recent version due to hardware limitations are advised to protect the specific TCP ports that were leveraged during the audit.
More specifically, and as Paolo Emiliani, the SCADA Research Analyst of Positive Technologies puts it: "With these vulnerabilities, an unauthenticated attacker could perform denial of service against a PLC and severely impact industrial processes. This is possible by sending a specially crafted network packet to TCP ports 80 or 443 of vulnerable CPUs. To restore PLC functioning, owners must manually switch the device to a normal operating mode. Crucially, successful exploitation does not require system privileges or user interaction which makes the overall risk and exposure higher."
Both vulnerabilities that can lead to the DoS condition want attackers to use ports 80/tcp or 443/tcp to send specially crafted network packets. No administration privileges or other user interaction is required for the achievement of the compromise, but as Siemens clarifies for both, there have been no known cases of anyone taking advantage of the particular security holes. The CVSS (Common Vulnerability Scoring System) v3.0 score that both received was 7.5, meaning that the severity of the vulnerabilities was classified as “high.”
Siemens is advising users of the Simatic S7-1500 PLC to update its firmware if possible, protect network access to the aforementioned ports, apply cell protection, and also to apply defense-in-depth (incorporate multiple layers of security controls). Siemens is one of the market leaders in the field of PLC solutions, and they are taking security seriously, especially after its reputation was lashed with the Stuxnet worm that afflicted the company’s systems in many countries around the globe.
Do you have any comments on the above? Let us know of your thoughts in the section underneath, and don’t hesitate to hop to our socials on Facebook and Twitter so you can check out what else is on in the tech world today.