Siemens S7-300_S7-400 Hardcoded Credentials (Update B)
All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/.
On July 23, 2011, an independent security researcher publicly announced a vulnerability affecting the Siemens S7-300 and S7-400 PLCs. The researcher claims that he was able to achieve a command shell using credentials he was able to acquire from the PLC. This claim has not yet been verified by ICS-CERT or Siemens.
--------- Begin Update B Part 1 of 2 --------
On August 2, 2011, an independent researcher publicly revealed hardcoded credentials (user name and password) embedded in older versions of Siemens S7-300 PLCs.
--------- End Update B Part 1 of 2 ----------
Siemens has determined that the ability to access internal diagnostic functions does not affect the S7-400 PLCs.
Siemens has confirmed that the reported vulnerability does affect certain S7-300 PLCs. The ability to access internal diagnostic functions is present in older versions of the firmware. This includes S7-300 PLCs with integrated Profinet interface shipped before October 2009, and IM15x Profinet PLCs shipped
before September 2010.
--------- Begin Update B Part 2 of 2 --------
ICS-CERT has also confirmed that the reported vulnerability affects certain S7-300 PLCs and does not affect the S7-400 PLCs.
--------- End Update B Part 2 of 2 ----------
Affected CPUs and firmware versions are listed in the table below.
|PLC Name||Affected Version||Fixed In||Date Fixed|
|CPU315(including F)-2PN/DP||V2.6 and previous||V3.1||10/2009|
|CPU317(including F)-2PN/DP||V2.6 and previous||V3.1||10/2009|
|CPU319(including F)-3PN/DP||V2.7 and previous||V2.8||06/2009|
|IM151-8(including F) PN/DP CPU||V2.7||V3.2||08/2010|
|M154-8 PN/DP CPU||V2.5||V3.2||08/2010|
|S7-400 – All Models||Not Affected|
Owners/operators utilizing these affected devices should contact Siemens Service and Support for further
Further information can be found on the Siemens Service and Support website at the following URL: http://support.automation.siemens.com/WW/view/en/51810333.
The Control Systems Security Program (CSSP) also provides a recommended practices section for control systems on the CSSP web page. Several recommended practices are available for reading or download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.
Siemens S7-300 and S7-400 PLCs are used in a wide variety of industrial applications worldwide.
Please report any issues affecting control systems in critical infrastructure environments to ICS-CERT.
ICS-CERT published a follow-up advisory titled ICSA-11-223-01 - Siemens SIMATIC PLCs Reported Issues Summary on the ICS-CERT Web page on August 21, 2011.
For any questions related to this report, please contact the NCCIC at:
Toll Free: 1-888-282-0870
The NCCIC continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.