Full Report
SIMATIC S7-1200 CPU V1/V2 controllers contain two vulnerabilities that could allow an unauthenticated remote attacker to trigger functions by record and playback of legitimate network communication, or to place the controller in stop/defect state by causing a communications error. Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in SIMATIC S7-1200 CPU V1/V2 (Record/Playback and DoS via Network)
## CVE Details
- **CVE ID:** CVE-2011-20001, CVE-2011-20002
- **CVSS Score:** 7.5 (CVSS v3.1) / 8.7 (CVSS v4.0) for CVE-2011-20001. 7.4 (CVSS v3.1) / 8.3 (CVSS v4.0) for CVE-2011-20002.
- **CWE:** CWE-20 (Improper Input Validation) for CVE-2011-20001; CWE-294 (Authentication Bypass by Capture-replay) for CVE-2011-20002.
## Affected Systems
- **Products:** SIMATIC S7-1200 CPU V1 family (including SIPLUS variants) and SIMATIC S7-1200 CPU V2 family (including SIPLUS variants).
- **Versions:**
* For CVE-2011-20001: All versions **< V2.0.3**
* For CVE-2011-20002: All versions **< V2.0.2**
- **Configurations:** Affected when network access to the devices is not properly restricted.
## Vulnerability Description
This advisory details two separate vulnerabilities:
1. **CVE-2011-20001 (Improper Input Validation/DoS):** The web server interface of affected devices improperly processes incoming malformed HTTP traffic when received at a high rate. This allows an unauthenticated remote attacker to potentially force the device into a **stop/defect state (Denial of Service)**.
2. **CVE-2011-20002 (Capture-Replay Attack):** Affected controllers are vulnerable to replay attacks over the communication channel with the engineering software ("capture-replay"). This allows an on-path attacker to execute any previously recorded legitimate commands (e.g., setting the controller to STOP) at a later time, **even if the controller has a password configured**, as the communication is not properly secured against replay.
## Exploitation
- **Status:** Information provided indicates known security risks, but explicitly states "unauthenticated remote attacker" capability. PoC availability is not explicitly stated, but capture-replay attacks are often associated with available concepts.
- **Complexity:**
* CVE-2011-20001: Low (Unauthenticated, Network)
* CVE-2011-20002: Medium (Requires an on-path attacker to capture traffic, but execution is straightforward afterward).
- **Attack Vector:** Network (Remote, Unauthenticated for DoS; On-path for Replay).
## Impact
| Impact Aspect | CVE-2011-20001 (DoS) | CVE-2011-20002 (Replay) |
| :--- | :--- | :--- |
| **Confidentiality** | None | None |
| **Integrity** | Low (Controller state disruption) | High (Execution of previously recorded privileged commands) |
| **Availability** | High (Controller forced into stop/defect state) | High (Controller forced into stop/defect state, or other state changes) |
## Remediation
### Patches
Customers must update to the following minimum versions:
* **For CVE-2011-20001:** Update to **V2.0.3 or later version**.
* **For CVE-2011-20002:** Update to **V2.0.2 or later version**.
### Workarounds
* **For CVE-2011-20001:** Disable the web server interface if possible.
* **General Mitigation:** Apply network access controls to protect the control devices. Configure the environment according to Siemens' operational guidelines for Industrial Security.
## Detection
- **Indicators of Compromise:** Observation of unexpected controller stoppages/defect states originating from network activity, or successful execution of unauthorized commands during engineering sessions if the capture-replay attack was successful.
- **Detection Methods and Tools:** Not explicitly detailed in the summary, but standard network monitoring and integrity checks on controller logic between engineering sessions are recommended general practices.
## References
- Siemens ProductCERT Advisory: SSA-625789
- General Security Recommendations: hxxps://www.siemens.com/cert/operational-guidelines-industrial-security
- Further Advisories: hxxps://www.siemens.com/cert/advisories