SCADA Vulnerabilities & Exposures (SVE)

CRITIFENCE® SCADA Vulnerabilities and Exposures Database (SVE)

[SVE-783607006] Siemens S7-300/400 PLC Vulnerabilities

Date Type Platform Author EDB-ID CVE-ID OSVDB-ID Download App SIS Signature
2016-12-13PLCSiemensZhu WenZheN/ACVE-2016-9159 CVE-2016-9158 N/AN/AN/A

Source

						
							
								
#
# Siemens S7-300/400 PLC Vulnerabilities
#


### OVERVIEW

Zhu WenZhe from Beijing Acorn Network Technology has identified password leak and denial-of-service vulnerabilities in Siemens' S7-300 and S7-400 programmable logic controllers. Siemens has released Security Advisory SSA-731239 with advice to mitigate these vulnerabilities.
These vulnerabilities could be exploited remotely.



### AFFECTED PRODUCTS

Siemens reports that the vulnerabilities affect the following versions of SIMATIC PLC family:
SIMATIC S7-300 CPU family: All versions.
SIMATIC S7-400 CPU family: All versions.



### IMPACT

Successful exploitation of these vulnerabilities could lead to a denial-of-service condition or result in credential disclosure.
Impact to individual organizations depends on many factors that are unique to each organization. NCCIC/ICS-CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.



### BACKGROUND

Siemens is a multinational company headquartered in Munich, Germany.
The affected products, SIMATIC S7-300 and S7-400 PLC family, have been designed for process control in industrial environments. According to Siemens, SIMATIC S7-300 and S7-400 PLCs are deployed across several sectors including Chemical, Energy, Food and Agriculture, and Water and Wastewater Systems. Siemens estimates that these products are used worldwide.



### VULNERABILITY CHARACTERIZATION

# VULNERABILITY OVERVIEW

INADEQUATE ENCRYPTION STRENGTHa
An attacker with network access to Port 102/TCP (ISO-TSAP) could obtain credentials from the PLC if Protection-level 2 is configured on the affected devices. This vulnerability affects all listed affected products.
CVE-2016-9159b has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated with a CVSS vector string of: (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

PROTECTION MECHANISM FAILUREd
Specially crafted packets sent to Port 80/TCP could cause the affected devices to go into defect mode. A cold restart is required to recover the system. This vulnerability affects all SIMATIC S7-300 PN CPUs, and all SIMATIC S7-400 PN V6 and V7 CPUs.
CVE-2016-9158e has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated with a CVSS vector string of: (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)




### VULNERABILITY DETAILS

# EXPLOITABILITY

These vulnerabilities could be exploited remotely.



# EXISTENCE OF EXPLOIT

No known public exploits specifically target these vulnerabilities.



# DIFFICULTY

An attacker with a low skill would be able to exploit these vulnerabilities.



### MITIGATION

Siemens recommends the following mitigations:
Deactivate the web server.
Apply Protection-level 3 read/write protection.
Apply cell protection concept.
Apply defense-in-depth strategies.
Use VPN for protecting network communication between cells.
Siemens strongly recommends users protect network access with appropriate mechanisms (e.g., firewalls, segmentation, VPN)
Siemens also advises that users configure the operational environment according to Siemens' Operational Guidelines for Industrial Security:
https://www.siemens.com/cert/operational-guidelines-industrial-security


For more information on this vulnerability and more detailed mitigation instructions, please see Siemens Security Advisory SSA-731239 at the following location:
http://www.siemens.com/cert/advisories