Full Report
Affected SIMATIC firmware contains three vulnerabilities that could allow an unauthenticated attacker to perform a denial of service attack under certain conditions. Siemens has released updates for several affected products and recommends to update to the latest versions. Siemens recommends countermeasures for products where updates are not, or not yet available.
Analysis Summary
# Vulnerability: Multiple Denial of Service Vulnerabilities in Siemens SIMATIC Products
## CVE Details
- **CVE ID:** CVE-2021-37185, CVE-2021-37204, CVE-2021-37205
- **CVSS Score:** 7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- **CWE:**
- CWE-672: Operation on a Resource after Expiration or Release (CVE-2021-37185, CVE-2021-37204)
- CWE-401: Missing Release of Memory after Effective Lifetime (CVE-2021-37205)
## Affected Systems
- **Products:**
- SIMATIC Drive Controller family
- SIMATIC S7-1200 & S7-1500 CPU families
- SIMATIC S7-1500 Software Controller
- SIMATIC ET 200SP Open Controller (including PC2 and Ready4Linux variants)
- SIMATIC S7-PLCSIM Advanced
- TIM 1531 IRC (including SIPLUS variants)
- SIPLUS extreme products (matching the base SIMATIC hardware versions)
- **Versions:**
- S7-1200: All versions < V4.5.0
- S7-1500: All versions < V2.9.2
- S7-PLCSIM Advanced: All versions < V4.0
- TIM 1531 IRC: All versions < V2.3.6
- SIMATIC Drive Controller: All versions < V2.9.2
- **Configurations:** Vulnerabilities specifically target communication over Port 102/tcp (ISO-TSAP). Note that CVE-2021-37204 affects devices regardless of whether TLS is enabled.
## Vulnerability Description
Affected SIMATIC firmware contains flaws in the processing of specially prepared packets sent to port 102/tcp. These flaws involve "Operation on a Resource after Expiration or Release" and memory management issues. An unauthenticated attacker can trigger these vulnerabilities by sending crafted packets, causing the PLC/Controller to enter a defect state or crash.
## Exploitation
- **Status:** PoC Available (CVSS Exploit Code Maturity: Functional/Proven)
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** High (Device requires a manual restart to restore normal operations and automation functions)
## Remediation
### Patches
Siemens has released the following updates to address these flaws:
- **S7-1200 CPUs:** Update to V4.5.0 or later
- **S7-1500 CPUs:** Update to V2.9.2 or later
- **S7-PLCSIM Advanced:** Update to V4.0 SP1 or later
- **TIM 1531 IRC:** Update to V2.3.6 or later
- **SIMATIC Drive Controller:** Update to V2.9.2 or later
- **S7-1500 Software Controller:** Update to V21.9 or later
### Workarounds
- **Network Segmentation:** Protect network access to devices; ensure they are not reachable from the internet.
- **Firewall Filtering:** Restrict access to Port 102/tcp to only authorized engineering workstations or trusted HMI/SCADA systems.
- **Operational Guidelines:** Adhere to Siemens' operational guidelines for Industrial Security to operate in a protected IT environment.
## Detection
- **Indicators of Compromise:** Unexpected transition of the CPU to a "Defect" or "Stop" state; logs showing abnormal socket closures or memory errors on Port 102.
- **Detection methods:** Monitor network traffic for unusual or malformed ISO-on-TCP (Port 102) packets. Utilize IDS/IPS signatures specifically looking for CWE-672 or CWE-401 patterns in S7 communication protocol handshakes.
## References
- **Vendor Advisory:** hxxps[://]cert-portal[.]siemens[.]com/productcert/html/ssa-838121[.]html
- **Operational Guidelines:** hxxps[://]www[.]siemens[.]com/cert/operational-guidelines-industrial-security
- **Siemens Industrial Security:** hxxps[://]www[.]siemens[.]com/industrialsecurity