Full Report
SIMATIC S7-400 CPU devices contain an input validation vulnerability that could allow an attacker to create a Denial-of-Service condition. A restart is needed to restore normal operations. Siemens has released an update for SIMATIC S7-410 V10 CPU family and SIMATIC S7-400 H V6 CPU family (incl. SIPLUS variants for both) and recommends to update to the latest version. Siemens is preparing further updates and recommends specific countermeasures for products where updates are not yet available.
Analysis Summary
# Vulnerability: Denial-of-Service in SIMATIC S7-400 CPUs
## CVE Details
- **CVE ID:** CVE-2021-40368
- **CVSS Score:** 7.5 (High)
- **CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
- **CWE:** CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer)
## Affected Systems
- **Products:**
- SIMATIC S7-400 CPU V7 family (including PN/DP, F, and DP variants)
- SIMATIC S7-410 V10 CPU family
- SIMATIC S7-400 H V6 CPU family
- SIPLUS variants of the above models
- **Versions:**
- S7-400 V7: All versions < V7.0.3 (for PN/DP variants); All versions (for DP-only variants)
- S7-410 V10: All versions < V10.1.1
- **Configurations:** Devices with port 102/tcp reachable.
## Vulnerability Description
Affected devices contain an input validation flaw where they improperly handle specially crafted packets sent to **port 102/tcp**. Due to a memory buffer restriction issue (CWE-119), processing these malicious packets causes the CPU to enter an error state, resulting in a Denial-of-Service (DoS) condition.
## Exploitation
- **Status:** PoC available (Exploitation code/proof exists as indicated by CVSS "E:P" tag)
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** High (The device becomes unresponsive and requires a manual restart to restore normal operations).
## Remediation
### Patches
Siemens recommends updating to the following versions where available:
- **SIMATIC S7-400 V7 (PN/DP variants):** Update to V7.0.3 or later.
- **SIMATIC S7-410 V10:** Update to V10.1.1 or later.
- *Note: For several DP-only models (e.g., 412-1 DP, 412-2 DP, 416-2 DP), no fix is currently planned; users must use workarounds.*
### Workarounds
- **Network Segmentation:** Protect access to port 102/tcp using firewalls or VLANs.
- **Defense in Depth:** Implement the Siemens Industrial Security concept, including cell protection and ensuring the devices are not directly exposed to the internet.
- **Access Control:** Restrict network traffic to trusted nodes only.
## Detection
- **Indicators of Compromise:** Unexpected CPU transitions to a "STOP" or "DEFECTIVE" state requiring a hard restart.
- **Detection Methods:** Monitor network traffic for anomalous or malformed packets targeting ISO-on-TCP (Port 102). Utilize Industrial Intrusion Detection Systems (IIDS) that can parse S7 communication protocols.
## References
- **Siemens Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/pdf/ssa-557541.pdf
- **Official Support Link:** hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/109752685/
- **CVSS Reference:** hxxps://www[.]first[.]org/cvss/v3.1/vector#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C