CVE-2020-15796
📋 TL;DR
A vulnerability in Siemens SIMATIC ET 200SP Open Controller and S7-1500 Software Controller allows remote attackers to cause denial-of-service by sending specially crafted HTTP requests to the web server. This affects industrial control systems running vulnerable versions, potentially disrupting operational technology environments.
💻 Affected Systems
- SIMATIC ET 200SP Open Controller
- SIMATIC S7-1500 Software Controller
- SIPLUS variants
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete disruption of industrial control operations, causing production downtime, equipment damage, or safety incidents in critical infrastructure.
Likely Case
Temporary unavailability of the controller's web interface and potential disruption of network communications, requiring manual restart.
If Mitigated
Limited impact with proper network segmentation and monitoring, allowing quick detection and response before significant disruption.
🎯 Exploit Status
Exploitation requires sending specially crafted HTTP requests but no authentication is needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Update to V20.8 Update 1 or later
Vendor Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-700697.pdf
Restart Required: Yes
Instructions:
1. Download the firmware update from Siemens support portal. 2. Backup current configuration. 3. Apply the firmware update following Siemens documentation. 4. Restart the controller. 5. Verify the update was successful.
🔧 Temporary Workarounds
Disable Web Server
allDisable the vulnerable web server functionality if not required for operations.
Configure via Siemens TIA Portal or engineering software to disable web server
Network Segmentation
allIsolate controllers in separate network segments with strict firewall rules.
Configure firewall to block external HTTP access to controller ports
🧯 If You Can't Patch
- Implement strict network access controls to limit HTTP traffic to trusted sources only
- Deploy network monitoring and intrusion detection for anomalous HTTP requests
🔍 How to Verify
Check if Vulnerable:
Check controller firmware version via Siemens TIA Portal or web interface. If version is exactly V20.8 (without updates), it is vulnerable.Check Version:
Use Siemens TIA Portal or access web interface to view firmware version informationVerify Fix Applied:
Verify firmware version shows V20.8 Update 1 or later. Test web server functionality with normal HTTP requests.📡 Detection & Monitoring
Log Indicators:
- Web server crash logs
- Unusual HTTP request patterns
- Controller restart events
Network Indicators:
- Multiple malformed HTTP requests to controller ports
- Sudden loss of controller connectivity
SIEM Query:
source="controller_logs" AND (event="webserver_crash" OR event="unexpected_restart")