-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

# SSA-492828: Denial-of-Service Vulnerability in SIMATIC S7-300 CPUs and SINUMERIK
Controller

Publication Date:        2020-11-10
Last Update:             2020-11-10
Current Version:         1.0
CVSS v3.1 Base Score:    5.9

SUMMARY
=======

A vulnerability in S7-300 might allow an attacker to cause a
Denial-of-Service condition on port 102 of the affected devices by
sending specially crafted packets.

Siemens is preparing updates and recommends specific countermeasures
until fixes are available.


AFFECTED PRODUCTS AND SOLUTION
==============================


* SIMATIC S7-300 CPU family (incl. related ET200 CPUs and SIPLUS variants) 
  - Affected versions:
       All versions
  - Remediation:
        See recommendations from section Workarounds and Mitigations

* SINUMERIK 840D sl 
  - Affected versions:
       All versions
  - Remediation:
        See recommendations from section Workarounds and Mitigations


WORKAROUNDS AND MITIGATIONS
===========================

Siemens has identified the following specific workarounds and mitigations that
customers can apply to reduce the risk:

* Protect network access to port 102/tcp of affected devices.
  


GENERAL SECURITY RECOMMENDATIONS
================================

As a general security measure, Siemens strongly recommends to protect
network access to devices with appropriate mechanisms. In order to
operate the devices in a protected IT environment, Siemens recommends to
configure the environment according to Siemens' operational guidelines
for Industrial Security (Download:
https://www.siemens.com/cert/operational-guidelines-industrial-security),
and to follow the recommendations in the product manuals.

Additional information on Industrial Security by Siemens can be found
at: https://www.siemens.com/industrialsecurity

PRODUCT DESCRIPTION
===================

Products of the Siemens SIMATIC S7-300 CPU family have been designed for
discrete and continuous control in industrial environments such as
manufacturing, food and beverages, and chemical industries worldwide.

SIPLUS extreme products are designed for reliable operation under
extreme conditions and are based on SIMATIC, LOGO!, SITOP, SINAMICS,
SIMOTION, SCALANCE or other devices. SIPLUS devices use the same
firmware as the product they are based on.

SINUMERIK CNC offers automation solutions for the shop floor, job shops
and large serial production environments.

VULNERABILITY CLASSIFICATION
============================

The vulnerability classification has been performed by using the CVSS scoring
system in version 3.1 (CVSS v3.1) (https://www.first.org/cvss/). The CVSS 
environmental score is specific to the customer's environment and will impact
the overall CVSS score. The environmental score should therefore be 
individually defined by the customer to accomplish final scoring.

An additional classification has been performed using the CWE classification, a
community-developed list of common software security weaknesses. This serves as
a common language and as a baseline for weakness identification, mitigation,
and prevention efforts. A detailed list of CWE classes can be found at:
https://cwe.mitre.org/.



* Vulnerability CVE-2020-15783

  Sending multiple specially crafted packets to the affected devices could
  cause a Denial-of-Service on port 102. A cold restart is required to
  recover the service.

  CVSS v3.1 Base Score: 5.9
  CVSS Vector:          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:U/RC:C
  CWE:                  CWE-400: Uncontrolled Resource Consumption


ACKNOWLEDGMENTS
===============

Siemens thanks the following parties for their efforts:

   * WangFangLi from Beijing Winicssec Technology CO., Ltd for coordinated disclosure.



ADDITIONAL INFORMATION
======================

For further inquiries on security vulnerabilities in Siemens products and 
solutions, please contact the Siemens ProductCERT:

https://www.siemens.com/cert/advisories


HISTORY DATA
============

V1.0 (2020-11-10): Publication Date

TERMS OF USE
============

Siemens Security Advisories are subject to the terms and conditions contained
in Siemens' underlying license terms or other applicable agreements previously
agreed to with Siemens (hereinafter "License Terms"). To the extent applicable
to information, software or documentation made available in or through a
Siemens Security Advisory, the Terms of Use of Siemens' Global Website
(https://www.siemens.com/terms_of_use, hereinafter "Terms of Use"), in
particular Sections 8-10 of the Terms of Use, shall apply additionally. In case
of conflicts, the License Terms shall prevail over the Terms of Use.
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEElTRCLAVwzKf/b8X80/SB6hFKr+QFAl+p2AAACgkQ0/SB6hFK
r+RgFhAAvkECRU9eFep+Geli5HnVgL9WrAa693BfrtGkWnBOOOizDODcrrvpmIxd
zFdUg9FUtqR3j4USKjsDdAQZJ1jCbWa1AxtNRtZ/hl9jEjTplyqHHqw6nz6OWURT
AL7N+ie7DzehEhdL/3ABH3p6LGE6W2LTW6rD3xiiPRlmW/08jgtPyIXr5IcpCFY4
OoB16MqN9d14K1HLkUZP0gh2pkerLAfyrv0RbgJn8eaPjT2YwkEjv7ynjAHP0Fpa
54023dcca9qHjh5EvONguvBkaZEH4MlSTMNaGER3lFkTarGuh7Pakc1fJRYXjKrk
oXIIM9PktTkM/Fm4JOCg3Kv1fvZlmIW/AgaeHITldnd8gOUdmdAF+sWT1wX/2q1Q
lcN3tCAQfW0qoQBATs4akfGkh576RgaDw7RJB8HhLuinSosiycdxUisQYByZVwph
e7fkUbCEfjUEQDJpSpqryAEe9irdDyD1N/7x8EJddnQHzYw3pZkkfIzwcjwhYJHl
P6muHrBeQXG4cGtc9hWyq1h1zexd1PhMZi0cIiGQ35OY2kKKawoMRkiW3NvbIoJB
DicWGjMJxKxX9EGzPHuew1cc11vLpeGwepD8I36xKTOCUsojHVX5AXb5l6T14DKg
HSrZ75nuM1idahxQhwPi1n9eDPMnhnCRmhYn2LdXEp3VraOHh74=
=rizQ
-----END PGP SIGNATURE-----