Full Report
Two vulnerabilities have been identified in the SIMATIC S7-400 CPU family that could allow an attacker to cause a denial of service condition. In order to exploit the vulnerabilities, an attacker must have access to the affected devices on port 102/tcp via Ethernet, PROFIBUS or Multi Point Interfaces (MPI). Siemens has released updates for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for products where updates are not, or not yet available.
Analysis Summary
# Vulnerability: Denial of Service in SIMATIC S7-400 CPUs
## CVE Details
- **CVE ID:** CVE-2018-16556
- **CVSS Score:** 8.2 (High)
- **CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H/E:P/RL:O/RC:C
- **CWE:** CWE-347 (Improper Verification of Cryptographic Signature)
## Affected Systems
- **Products:**
- SIMATIC S7-400 CPU family (Standard, PN/DP, F, and H variants)
- SIPLUS S7-400 CPU variants
- **Versions:**
- S7-400 V7 (various models < V7.0.3)
- S7-400 V6 and below (All versions)
- S7-400H V6 and V4.5 (All versions)
- **Configurations:** Vulnerable if port 102/tcp is accessible via Ethernet, PROFIBUS, or Multi Point Interfaces (MPI).
## Vulnerability Description
Selected SIMATIC S7-400 CPUs contain a flaw in the verification of cryptographic signatures or data integrity. An unauthenticated remote attacker can exploit this by sending specially crafted packets to port 102/tcp. This causes the CPU to enter a "DEFECT" mode, resulting in a denial of service (DoS) of the core PLC functionality. A hard reset is typically required to restore the device to its normal operating state.
## Exploitation
- **Status:** PoC available (Proof of Concept)
- **Complexity:** Low
- **Attack Vector:** Network (Can also be exploited via Adjacent/Local interfaces like PROFIBUS/MPI)
## Impact
- **Confidentiality:** None
- **Integrity:** Low
- **Availability:** High (Core CPU functionality is disabled)
## Remediation
### Patches
Siemens has released updates for PN/DP V7 and H V6 models. Users should update to the following:
- **S7-400 PN/DP V7:** Update to V7.0.3 or later.
- **S7-400H V6:** Update to V6.0.9 or later.
*Note: For many DP-only and older V6/V4 models, Siemens has stated "No fix is planned."*
### Workarounds
- **Network Segmentation:** Minimize network exposure for all control system devices and ensure they are not accessible from the Internet.
- **Firewall Filtering:** Block all unauthorized traffic to port 102/tcp.
- **Vulnerability-Specific Filtering:** Use the "S7 communication" firewall filter available in SIMATIC NET CP modules to restrict communication to authorized engineering stations only.
- **Access Protection:** Configure the "Protection Level" (Read/Write protection) with a password on the CPU.
## Detection
- **Indicators of Compromise:** CPU unexpectedly transitioning to "DEFECT" mode or stopping communication on port 102/tcp.
- **Detection methods and tools:** Monitor industrial network traffic for malformed S7 packets or excessive connection attempts to port 102/tcp from unauthorized MAC or IP addresses.
## References
- **Vendor Advisory:** hxxps://cert-portal.siemens[.]com/productcert/pdf/ssa-113131.pdf
- **Siemens Support Link:** hxxps://support.industry.siemens[.]com/cs/ww/en/view/109752685/
- **General CERT Inquiries:** hxxps://www.siemens[.]com/cert/advisories