Monday, July 20, 2020

[Siemens] SIMATIC S7-200; DOS via modbus injection ( CVE-2020-7584 )


In our laboratory we were able to identify and reproduce a vulnerability which enables the construction and delivery of Modbus protocol frames to the PLC, generating an absolute denial of service in the equipment.



AFFECTED PRODUCTS AND THE SOLUTION
Affected Product and VersionsRemediation
SIMATIC S7-200 SMART CPU family: Update to V2.5.1
All versions >= V2.2 < V2.5.1https://support.industry.siemens.com/cs/ww/en/view/109765009/
note: The S7-200 SMART series is a line of micro-programmable logic controllers that can control a variety of small automation applications.


EXPLOIT
In order to reproduce the vulnerability, it is necessary to create and send a valid Modbus frame to the PLC, making sure that the value of the "length" field is greater than the actual length of the frame sent. 



Details:
The SID ("Slave ID") field must be valid
The field reserved for the function can be any (regardless if it is implemented)

Timeline
2020-03-20 - Discovery
2020-03-21 - Vendor Disclosure
2020-07-14 - Publication Date



Greetings,
Industrial Army (@_industrialarmy)

No comments:

Post a Comment