CVE-2020-28397 in SIMATIC Drive Controller
Summary
by MITRE • 08/10/2021
A vulnerability has been identified in SIMATIC Drive Controller family (All versions < V2.9.2), SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) (All versions), SIMATIC S7 PLCSIM Advanced (All versions > V2 < V4), SIMATIC S7-1200 CPU family (incl. SIPLUS variants) (Version V4.4), SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and SIPLUS variants) (All versions > V2.5 < V2.9.2), SIMATIC S7-1500 Software Controller (All versions > V2.5), TIM 1531 IRC (incl. SIPLUS NET variants) (Version V2.1). Due to an incorrect authorization check in the affected component, an attacker could extract information about access protected PLC program variables over port 102/tcp from an affected device when reading multiple attributes at once.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 08/15/2021
This vulnerability affects multiple Siemens industrial control systems including drive controllers, open controllers, PLC simulators, and CPU families across various product lines. The core issue stems from insufficient authorization validation mechanisms that allow unauthorized access to protected program variables through the ISO-on-TCP protocol running on port 102/tcp. The flaw specifically manifests when multiple attributes are read simultaneously, bypassing normal access controls that should restrict program variable access to authorized users only. This represents a significant security weakness in industrial control systems where operational technology environments require robust access controls to prevent unauthorized modification or extraction of critical process data.
The technical implementation of this vulnerability resides in the authorization checking mechanism within Siemens' industrial software components. When a client attempts to read multiple attributes from a PLC program through the S7 communication protocol, the system fails to properly validate whether the requesting entity has adequate privileges to access all the requested variables. This authorization bypass occurs during the multi-attribute read operation, allowing an attacker to extract sensitive program variable information that should otherwise be restricted. The vulnerability is particularly concerning because it operates at the protocol level rather than requiring physical access or complex exploitation techniques. The flaw is classified under CWE-285 which specifically addresses improper authorization issues in software systems, making it a direct violation of fundamental security principles in industrial control environments.
The operational impact of this vulnerability extends beyond simple information disclosure to potentially enable more sophisticated attacks within industrial networks. An attacker who successfully exploits this vulnerability could gain insights into program variables, system architecture, and potentially identify other vulnerabilities in the industrial control system. This information could be leveraged to plan more targeted attacks or to understand system behavior for later exploitation phases. The vulnerability affects multiple generations of Siemens products, including both standard and SIPLUS variants, indicating a widespread exposure across industrial control environments. The specific versions affected include various PLC families and controllers that are commonly deployed in critical infrastructure sectors such as manufacturing, energy, and process control industries. According to ATT&CK framework, this vulnerability maps to T1071.001 for application layer protocols and T1566 for credential access, demonstrating how the flaw can be used to gain unauthorized access to system resources.
Mitigation strategies for this vulnerability primarily focus on applying official firmware updates from Siemens, with version 2.9.2 and later recommended for affected SIMATIC S7-1500 CPU families and related components. Network segmentation and access control measures should be implemented to restrict access to port 102/tcp, particularly in production environments where unauthorized access could result in operational disruptions. The use of network monitoring tools to detect unusual multi-attribute read operations could help identify potential exploitation attempts. Additionally, implementing proper network access controls and disabling unnecessary services on industrial control systems can reduce the attack surface. Organizations should also consider conducting security assessments to identify other potential authorization bypass vulnerabilities in their industrial control systems, particularly in environments where multiple Siemens products are integrated. The vulnerability highlights the importance of maintaining current firmware versions and implementing proper security controls in operational technology environments where system integrity and availability are paramount for industrial operations.