July 5, 2011

Security researcher Dillon Beresford of NSS Labs reported multiple vulnerabilities to ICS-CERT that affect the Siemens Simatic S7-1200 micro PLC as reported in ICS-CERT Alert 11-161-01 and reported on SCADAhacker via this reference entry.

Commands between the affected PLCs and other devices are transmitted using the International Organization for Standardization Transport Service Access Point (ISO-TSAP) protocol. According to ICS-CERT analysis, the ISO-TSAP protocol is functioning to specifications; however, authentication is not performed nor are payloads encrypted or obfuscated. Like ISO-TSAP, many protocols used in industrial control systems were intentionally designed to be open and without security features. The replay attack vulnerabilities affecting the S7-1200 also are verified to affect the SIMATIC S7-200, S7-300, and S7-400 PLCs. Siemens PLCs configured with password protection are still susceptible to a replay attack.

An attacker with access to the PLC or the automation network could intercept the PLC password and make unauthorized changes to the PLC operation.

ICS-ALERT-11-186-01
ICS-ALERT-11-161-01
ICSA-11-223-01A
ICSA-11-223-01

Siemens Security Advisory SSA-625789
Potential Password Security Weakness in SIMATIC Controllers
Siemens Industrial Security Homepage

No public exploit is available at this time.

Not available at this time.

Disclosure: Dillon Beresford (NSS Labs) via ICS-CERT
Secunia Advisory #45164
Dillon Beresford comments on SCADAsec List
SCADA Vulnerabilties in Industrial Control Systems (NSS Labs)

Siemens PLC Analysis Report (ISSSource)
Siemens PLC Vulnerability Update (ISSSource)
More Possible Siemens Vulnerabilities (ISSSource)

Dillon Beresford - Exploiting Siemens SIMATIC S7 PLCs (Black Hat 2011)