Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

New Vulnerabilities Can Allow Hackers to Remotely Crash Siemens PLCs

Siemens this week announced the availability of patches and mitigations for a series of severe vulnerabilities that can be exploited to remotely crash some of the company’s SIMATIC products.

Siemens this week announced the availability of patches and mitigations for a series of severe vulnerabilities that can be exploited to remotely crash some of the company’s SIMATIC products.

The German industrial giant released nine advisories on Tuesday to address a total of 27 vulnerabilities. One of these advisories describes three high-severity flaws that can be exploited by a remote, unauthenticated attacker to launch denial-of-service (DoS) attacks against some Siemens programmable logic controllers (PLCs) and associated products.

Siemens PLC vulnerabilitiesThe security holes are tracked as CVE-2021-37185, CVE-2021-37204 and CVE-2021-37205, and they can be exploited by sending specially crafted packets over TCP port 102 to the targeted device. If a vulnerability has been exploited successfully, the device needs to be restarted in order to restore normal operations.

In a real world industrial environment, crashing a PLC can have a serious impact and cause significant disruption.

Siemens says the flaws impact SIMATIC S7-1200 and S7-1500 PLCs, SIMATIC Drive Controller, ET 200SP Open Controller, S7-1500 Software Controller, SIMATIC S7-PLCSIM Advanced, the TIM 1531 IRC communication module, as well as SIPLUS extreme products.

Independent ICS security researcher Gao Jian, who has been credited by Siemens for reporting the vulnerabilities, told SecurityWeek that these are just some of the eight vulnerabilities that he has reported to the vendor. The remaining issues are under investigation. The researcher started reporting his findings to Siemens in early August 2021.

Jian explained in an advisory that the vulnerabilities, which he has dubbed S7+:Crash, are related to the OMS+ communication protocol stack used by Siemens products.

Learn more about vulnerabilities in industrial systems at SecurityWeek’s ICS Cyber Security Conference

Siemens PLCs can be protected against unauthorized operations by enabling an access level option and setting a password. However, the researcher says the attack methods he has identified work even if the “complete protection” option is selected.

Advertisement. Scroll to continue reading.

Moreover, Jian says, the flaws can be exploited even if a recently introduced feature designed to secure communications between PLCs and PCs or HMIs is enabled.

The “S7+:Crash” vulnerabilities can be exploited by a threat actor who has access to the targeted device on TCP port 102. Exploitation directly from the internet may also be possible if the PLC is exposed due to a misconfiguration.

“Note that even the SIMATIC products enabled with access protection and secure communication (TLS encryption) cannot mitigate these vulnerabilities, and there is no firewall capable of parsing the S7CommPlus_TLS protocol, making it very difficult to prevent such attacks,” Jian explained.

The researcher has published a video showing his exploit in action.

Related: Newly Disclosed Vulnerability Allows Remote Hacking of Siemens PLCs

Related: Siemens Releases Several Advisories for ‘NAME:WRECK’ Vulnerabilities

Related: Siemens Addresses Code Execution Vulnerabilities Found in Popular CAD Library

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.