Siemens S7-300_S7-400 Hardcoded Credentials (Update B)
Description
This July 23 alert describes a vulnerability affecting the Siemens S7-300 and S7-400 PLCs.
table.gridtable {
font-family: verdana,arial,sans-serif;
font-size:11px;
color:#333333;
border-width: 1px;
border-color: #666666;
border-collapse: collapse;
}
table.gridtable th {
border-width: 1px;
padding: 8px;
border-style: solid;
border-color: #666666;
background-color: #dedede;
}
table.gridtable td {
border-width: 1px;
padding: 8px;
border-style: solid;
border-color: #666666;
background-color: #ffffff;
}
SUMMARY
On July 23, 2011, an independent security researcher publicly announced a vulnerability affecting the Siemens S7-300 and S7-400 PLCs. The researcher claims that he was able to achieve a command shell using credentials he was able to acquire from the PLC. This claim has not yet been verified by ICS-CERT or Siemens.
--------- Begin Update B Part 1 of 2 --------
On August 2, 2011, an independent researcher publicly revealed hardcoded credentials (user name and password) embedded in older versions of Siemens S7-300 PLCs.
--------- End Update B Part 1 of 2 ----------
Siemens has determined that the ability to access internal diagnostic functions does not affect the S7-400 PLCs.
Siemens has confirmed that the reported vulnerability does affect certain S7-300 PLCs. The ability to access internal diagnostic functions is present in older versions of the firmware. This includes S7-300 PLCs with integrated Profinet interface shipped before October 2009, and IM15x Profinet PLCs shipped
before September 2010.
--------- Begin Update B Part 2 of 2 --------
ICS-CERT has also confirmed that the reported vulnerability affects certain S7-300 PLCs and does not affect the S7-400 PLCs.
--------- End Update B Part 2 of 2 ----------
Mitigations
MITIGATION
Affected CPUs and firmware versions are listed in the table below.
| PLC Name | Affected Version | Fixed In | Date Fixed |
| CPU315(including F)-2PN/DP | V2.6 and previous | V3.1 | 10/2009 |
| CPU317(including F)-2PN/DP | V2.6 and previous | V3.1 | 10/2009 |
| CPU319(including F)-3PN/DP | V2.7 and previous | V2.8 | 06/2009 |
| IM151-8(including F) PN/DP CPU | V2.7 | V3.2 | 08/2010 |
| M154-8 PN/DP CPU | V2.5 | V3.2 | 08/2010 |
| S7-400 – All Models | Not Affected |
Owners/operators utilizing these affected devices should contact Siemens Service and Support for further
assistance.
Further information can be found on the Siemens Service and Support website at the following URL: http://support.automation.siemens.com/WW/view/en/51810333.
The Control Systems Security Program (CSSP) also provides a recommended practices section for control systems on the CSSP web page. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.
Siemens S7-300 and S7-400 PLCs are used in a wide variety of industrial applications worldwide.
Please report any issues affecting control systems in critical infrastructure environments to ICS-CERT.
FOLLOW-UP
ICS-CERT published a follow-up advisory titled ICSA-11-223-01 - Siemens SIMATIC PLCs Reported Issues Summary on the ICS-CERT Web page on August 21, 2011.
This product is provided subject to this Notification and this Privacy & Use policy.
Vendor
- Siemens