Siemens Industrial Products (Update A)

ID ICSA-17-339-01A
Type ics
Reporter Industrial Control Systems Cyber Emergency Response Team
Modified 2018-01-22T00:00:00


CVSS v3 7.5

ATTENTION: Remotely exploitable/low skill level to exploit.

Vendor: Siemens

Equipment: Industrial products

Vulnerability: Improper Input Validation


This updated advisory is a follow-up to the original advisory titled ICSA-17-339-01 Siemens Industrial Products that was published December 5, 2017, on the NCCIC/ICS-CERT web site.


--------- Begin Update A Part 1 of 2 --------

Siemens reports the vulnerability affects the following industrial products:

  • SIMATIC S7-200 Smart: All versions prior to V2.03.01,
  • SIMATIC S7-400 PN V6: All versions prior to V6.0.6,
  • SIMATIC S7-400 H V6: All versions prior to V6.0.8,
  • SIMATIC S7-400 PN/DP V7: All versions,
  • SIMATIC S7-410 V8: All versions,
  • SIMATIC S7-300: All versions,
  • SIMATIC S7-1200: All versions,
  • SIMATIC S7-1500: All versions prior to V2.0,
  • SIMATIC S7-1500 Software Controller: All versions prior to V2.0,
  • SIMATIC WinAC RTX 2010 incl. F: All versions,
  • SIMATIC ET 200 Interface modules for PROFINET IO:
    • SIMATIC ET 200AL: All versions,
    • SIMATIC ET 200ecoPN: All versions,
    • SIMATIC ET 200M: All versions,
    • SIMATIC ET 200MP: All versions,
    • SIMATIC ET 200pro: All versions,
    • SIMATIC ET 200S: All versions, and
    • SIMATIC ET 200SP: All versions.
  • Development/Evaluation Kits for PROFINET IO:
    • DK Standard Ethernet Controller: All versions,
    • EK-ERTEC 200P: All versions prior to V4.5, and
    • EK-ERTEC 200 PN IO: All versions.
  • SIMOTION Firmware:
    • SIMOTION D: All versions prior to V5.1 HF1,
    • SIMOTION C: All versions prior to V5.1 HF1, and
    • SIMOTION P: All versions prior to V5.1 HF1.
    • SINAMICS DCM: All versions,
    • SINAMICS DCP: All versions,
    • SINAMICS G110M / G120(C/P/D) w. PN: All versions prior to V4.7 SP9 HF1,
    • SINAMICS G130 and G150: All versions,
    • SINAMICS S110 w. PN: All versions,
    • SINAMICS S120: All versions,
    • SINAMICS S150:
    • V4.7: All versions, and
    • V4.8: All versions.
    • SINAMICS V90 w. PN: All versions.
  • SINUMERIK 840D sl: All versions,
  • SIMATIC Compact Field Unit: All versions,
  • SIMATIC PN/PN Coupler: All versions,
  • SIMOCODE pro V PROFINET: All versions, and
  • SIRIUS Soft starter 3RW44 PN: All versions.

--------- End Update A Part 1 of 2 --------


Successful exploitation of this vulnerability may allow a remote attacker to conduct a denial-of-service (DoS) attack.


--------- Begin Update A Part 2 of 2 --------

Siemens has provided firmware updates for the following products to fix the vulnerability:

  • SIMATIC S7-200 Smart: Update to V2.03.01:


  • SIMATIC S7-400 PN V6: Update to V6.0.6:


  • EK-ERTEC 200P: Update to V4.5:


  • SIMOTION D: Update to V5.1 HF1:


  • SIMOTION C: Update to V5.1 HF1:


  • SIMOTION P320-4: Update to V5.1 HF1:

Please contact a Siemens representative for information on how to obtain the update.

  • SINAMICS G110M / G120(C/P/D): Update to V4.7 SP9 HF1:


  • SIMATIC S7-1500: V2.0 and newer:


  • SIMATIC S7-1500 Software Controller: V2.0 and newer:


  • SIMATIC S7-400 H V6: Update V6.0.8:


--------- End Update A Part 2 of 2 --------

Siemens is preparing further updates and recommends the following mitigations until patches are available:

  • Disable SNMP if this is supported by the product (refer to the product documentation). Disabling SNMP fully mitigates the vulnerability
  • Protect network access to Port 161/UDP of affected devices
  • Apply cell protection concept
  • Use VPN for protecting network communication between cells
  • Apply Defense-in-Depth

Siemens recommends users configure the operational environment according to Siemens’ Operational Guidelines for Industrial Security:


For more information on the vulnerability and more detailed mitigation instructions, please see Siemens Security Advisory SSA-346262 at the following location:


NCCIC/ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of this vulnerability. ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

Additional mitigation guidance and recommended practices are publicly available in the ICS‑CERT Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site.

Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.

No known public exploits specifically target this vulnerability.



Specially crafted packets sent to Port 161/UDP could cause a denial-of-service condition. The affected devices must be restarted manually.

CVE-2017-12741 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been assigned; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).


George Lashenko of CyberX reported the vulnerability to Siemens.


Critical Infrastructure Sectors: Commercial Facilities, Critical Manufacturing, Energy, Food and Agriculture, Water and Wastewater Systems

Countries/Areas Deployed: Worldwide

Company Headquarters Location: Germany