Pierluigi Paganini February 12, 2020

Siemens issued Patch Tuesday updates for February 2020 that fixed serious denial-of-service (DoS) flaws in several of its products.

Siemens released Patch Tuesday updates for February 2020 that address serious denial-of-service (DoS) flaws in several of its products.

According to the advisories released by the vendor, a high-severity DoS flaw affects Siemens SIMATIC PCS 7, SIMATIC WinCC and SIMATIC NET PC products.

“A Denial-of-Service vulnerability was found in SIMATIC PCS 7, SIMATIC WinCC and SIMATIC NET PC software when encrypted communication is enabled.” reads the security advisory published by Siemens. “The vulnerability could allow an attacker with network access to cause a Denial-of-Service condition under certain circumstances (versions prior to SIMATIC WinCC V7.3 or SIMATIC PCS 7 V8.1 are not affected as encrypted communication is not an option).”

The flaw could be exploited if encrypted communication is enabled by sending specially crafted messages to the vulnerable system over the network. An attacker could exploit the issue without system privileges or user interaction. The flaw, tracked with the ID SSA-270778 received a CVSS score of 7.5.

Siemens addressed another DoS vulnerability that affects some SIMATIC S7 CPUs. The vulnerability can be exploited by an unauthenticated attacker by sending specially crafted HTTP requests to TCP ports 80 or 443.

Siemens fixed a DoS flaw that resides in many of its products using Profinet-IO (PNIO) stack versions prior to 06.00.

Siemens fixed two of the flaws in several industrial products, both are related to the handling of SNMP messages.

Siemens also fixed an issue in its S7-1500 CPUs which can be exploited by sending specially crafted UDP packets to a device.

The complete list of DoS vulnerabilities addressed by the IT vendor is reported in the advisories published by the company.

Pierluigi Paganini

(SecurityAffairs – ICS, DoS)

[adrotate banner=”5″]

[adrotate banner=”13″]