Positive Technologies discovers dangerous vulnerabilities in Siemens PLCs

Attackers could exploit vulnerabilities to disrupt industrial control systems

Security issues have been identified in the CPU of Siemens Simatic S7-1500 programmable logic controllers (PLCs). These devices automate control of equipment used in industries including automotive production, food and beverage manufacture, and the chemical industry.

The vulnerabilities were discovered by Positive Technologies experts Georgy Zaytsev, Dmitry Sklyarov, Evgeny Druzhinin, Ilya Karpov, and Maxim Goryachy. Both of the vulnerabilities (CVE-2018-16558 and CVE-2018-16559) received a CVSSv3.0 score of 7.5.

Paolo Emiliani, Industry and SCADA Research Analyst at Positive Technologies explained: "With these vulnerabilities, an unauthenticated attacker could perform denial of service against a PLC and severely impact industrial processes. This is possible by sending a specially crafted network packet to TCP ports 80 or 443 of vulnerable CPUs. To restore PLC functioning, owners must manually switch the device to normal operating mode. Crucially, successful exploitation does not require system privileges or user interaction which makes the overall risk and exposure higher"

Siemens has released a security advisory with relevant recommendations. For Simatic S7-1500 versions 2.0 prior to 2.5, owners should update firmware to version 2.5 or later. Owners of version 1.8.5 or earlier should follow the same advice or, if updates cannot be installed due to hardware restrictions, protect network access to TCP ports 80 and 443 of affected devices.

To identify cyber incidents and detect ICS vulnerabilities, Positive Technologies offers PT ISIM and MaxPatrol 8 for the specific needs of industrial protocols.