Critical denial of service (DoS) vulnerabilities affecting Siemens industrial PLC devices used in thousands of industrial plants

In its latest security alert, Siemens announced the release of patches to address multiple critical vulnerabilities whose exploitation would allow some models of programmable logic controllers (PLC) to be remotely blocked.

The company fixed a total of 27 vulnerabilities, three of which could be exploited by unauthenticated remote threat actors for the deployment of denial of service (DoS) attacks against some SIMATIC family products.

The three most severe faults were identified as CVE-2021-37185, CVE-2021-37204 and CVE-2021-37205 and could be exploited by sending specially crafted packets over TCP port 102 to the affected device. The successful attack would force the interruption of services, which could only be corrected with the restart of PLC devices.

Siemens reports that faults reside in the SIMATIC S7-1200 and S7-1500 PLC products, SIMATIC Drive Controller, ET 200SP Open Controller, S7-1500 Software Controller, SIMATIC S7-PLCSIM Advanced, TIM 1531 IRC communication module and SIPLUS extreme products.

Gao Jian, a security researcher who submitted the report to Siemens, mentions that these are just some of the eight vulnerabilities he has recently reported to the company. The remaining problems continue to be investigated.

Jian explained that the vulnerabilities are related to the OMS+ communication protocol stack used by Siemens products. Siemens PLC products can be protected against unauthorized operations by enabling an access level option and setting a password, although the attack works even if these protections are enabled.

That is why faults can be exploited even with the best protections available for PLC systems: “These flaws can be exploited by malicious hackers with access to the target device on TCP port 102. Exploitation directly from the Internet may also be possible if the PLC is exposed online,” explains the researcher.

A full report is available on Siemens’ official platforms. Administrators of affected deployments should update as soon as possible to prevent exploitation risk.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.