Detections
Analytics
Siemens SIMATIC S7-1200 and S7-1500 CPU Families Improper Restriction of Operations Within the Bounds of a Memory Buffer (CVE-2020-15782)
critical Tenable OT Security Plugin ID 500484
Synopsis
The remote OT asset is affected by a vulnerability.Description
A vulnerability has been identified in SIMATIC Drive Controller family (All versions < V2.9.2), SIMATIC ET 200SP Open Controller CPU 1515SP PC (incl. SIPLUS variants) (All versions), SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl.SIPLUS variants) (All versions < V21.9), SIMATIC S7-1200 CPU family (incl. SIPLUS variants) (All versions < V4.5.0), SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants) (All versions < V2.9.2), SIMATIC S7-1500 Software Controller (All versions < V21.9), SIMATIC S7-PLCSIM Advanced (All versions < V4.0), SINAMICS PERFECT HARMONY GH180 Drives (Drives manufactured before 2021-08-13), SINUMERIK MC (All versions < V6.15), SINUMERIK ONE (All versions < V6.15). Affected devices are vulnerable to a memory protection bypass through a specific operation. A remote unauthenticated attacker with network access to port 102/tcp could potentially write arbitrary data and code to protected memory areas or read sensitive data to launch further attacks.
This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.
Solution
The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at CISA.gov.Siemens has released updates for several affected products and recommends updating to the latest versions. Siemens is preparing further updates and recommends specific countermeasures for products where updates are not, or not yet available.
- SIMATIC ET 200SP Open Controller CPU 1515SP PC2: Update to v21.9 or later version
- SIMATIC S7-1500 Software Controller: Update to v21.9 or later version
- SIMATIC Drive Controller family: Update to v2.9.2 or later version
- SIMATIC S7-1200 CPU family (incl. SIPLUS variants): Update to v4.5.0 or later version
- SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants): Update to v2.9.2 or later version
- SIMATIC S7-PLCSIM Advanced: Update to v4.0 or later version
Siemens has identified the following specific workarounds and mitigations users can apply to reduce the risk:
- Apply password protection for S7 communication.
- Disallow client connections via the ENDIS_PW instruction of the S7-1200 or S7-1500 CPU (This blocks remote client connections, even when the client can provide the correct password).
- Use the display to configure additional access protection of the S7-1500 CPU (This blocks remote client connections, even when the client can provide the correct password).
- Apply “defense in depth” as outlined on pages 12ff of the operational guidelines for industrial security, especially:
- Plant security: Ensure physical prevention of access to critical components.
- Network security: Ensure PLC systems are not connected to untrusted networks.
- System integrity: Configure, maintain, and protect devices by applying applicable compensating controls and using built-in security capabilities.
- Update the entire solution to TIA Portal v17 and use TLS communication using individual certificates between PLC, HMIs, and PG/PC
For more information about this vulnerability and the associated mitigations, please see SSA-434534
See Also
https://cert-portal.siemens.com/productcert/pdf/ssa-434534.pdf
https://cert-portal.siemens.com/productcert/pdf/ssa-434536.pdf
https://www.cisa.gov/news-events/ics-advisories/icsa-21-152-01
https://cert-portal.siemens.com/productcert/pdf/ssa-434535.pdf
Plugin Details
Severity: Critical
ID: 500484
Version: 1.10
Type: remote
Family: Tenable.ot
Published: 2/7/2022
Updated: 10/17/2024
Supported Sensors: Tenable OT Security
Risk Information
VPR
Risk Factor: Medium
Score: 5.9
CVSS v2
Risk Factor: High
Base Score: 7.5
Temporal Score: 5.5
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS Score Source: CVE-2020-15782
CVSS v3
Risk Factor: Critical
Base Score: 9.8
Temporal Score: 8.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: cpe:/o:siemens:simatic_et_200sp_open_controller_cpu_1515sp_pc, cpe:/o:siemens:simatic_s7-1500_cpu_series_firmware, cpe:/o:siemens:simatic_s7-1200_cpu_series_firmware, cpe:/o:siemens:simatic_et_200sp_open_controller_cpu_1515sp_pc2
Required KB Items: Tenable.ot/Siemens
Exploit Ease: No known exploits are available
Patch Publication Date: 5/28/2021
Vulnerability Publication Date: 5/28/2021
Reference Information
CVE: CVE-2020-15782
CWE: 119
ICSA: 21-152-01