U.S. Flag Official website of the Department of Homeland Security
U.S. Department of Homeland Security Seal. ICS-CERT. Industrial Control Systems Cyber Emergency Response Team.
TLP:WHITE

Alert (ICS-ALERT-11-204-01B)

Siemens S7-300_S7-400 Hardcoded Credentials (Update B)

Original release date: August 03, 2011 | Last revised: January 23, 2014

Legal Notice

All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/.



SUMMARY

On July 23, 2011, an independent security researcher publicly announced a vulnerability affecting the Siemens S7-300 and S7-400 PLCs. The researcher claims that he was able to achieve a command shell using credentials he was able to acquire from the PLC. This claim has not yet been verified by ICS-CERT or Siemens.

--------- Begin Update B Part 1 of 2 --------

On August 2, 2011, an independent researcher publicly revealed hardcoded credentials (user name and password) embedded in older versions of Siemens S7-300 PLCs.

--------- End Update B Part 1 of 2 ----------

Siemens has determined that the ability to access internal diagnostic functions does not affect the S7-400 PLCs.

Siemens has confirmed that the reported vulnerability does affect certain S7-300 PLCs. The ability to access internal diagnostic functions is present in older versions of the firmware. This includes S7-300 PLCs with integrated Profinet interface shipped before October 2009, and IM15x Profinet PLCs shipped
before September 2010.

--------- Begin Update B Part 2 of 2 --------

ICS-CERT has also confirmed that the reported vulnerability affects certain S7-300 PLCs and does not affect the S7-400 PLCs.

--------- End Update B Part 2 of 2 ----------

MITIGATION

Affected CPUs and firmware versions are listed in the table below.

PLC NameAffected VersionFixed InDate Fixed
CPU315(including F)-2PN/DPV2.6 and previousV3.110/2009
CPU317(including F)-2PN/DPV2.6 and previousV3.110/2009
CPU319(including F)-3PN/DPV2.7 and previousV2.806/2009
IM151-8(including F) PN/DP CPUV2.7V3.208/2010
M154-8 PN/DP CPUV2.5V3.208/2010
S7-400 – All ModelsNot Affected  

Owners/operators utilizing these affected devices should contact Siemens Service and Support for further
assistance.

Further information can be found on the Siemens Service and Support website at the following URL:  http://support.automation.siemens.com/WW/view/en/51810333.

The Control Systems Security Program (CSSP) also provides a recommended practices section for control systems on the CSSP web page. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.

Siemens S7-300 and S7-400 PLCs are used in a wide variety of industrial applications worldwide.

Please report any issues affecting control systems in critical infrastructure environments to ICS-CERT.

FOLLOW-UP

ICS-CERT published a follow-up advisory titled ICSA-11-223-01 - Siemens SIMATIC PLCs Reported Issues Summary on the ICS-CERT Web page on August 21, 2011.


Contact Information

For any questions related to this report, please contact the NCCIC at:

Email: NCCICCUSTOMERSERVICE@hq.dhs.gov
Toll Free: 1-888-282-0870

For industrial control systems cybersecurity information:  http://ics-cert.us-cert.gov 
or incident reporting:  https://ics-cert.us-cert.gov/Report-Incident?

The NCCIC continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top