CVE-2021-37172
📋 TL;DR
This vulnerability allows attackers to bypass authentication on Siemens SIMATIC S7-1200 PLCs when provisioned with TIA Portal V13, enabling unauthorized program downloads. It affects SIMATIC S7-1200 CPU family (including SIPLUS variants) version 4.5.0. The vulnerability does not occur when devices were provisioned with TIA Portal V13 SP1 or later.
💻 Affected Systems
- SIMATIC S7-1200 CPU family
- SIPLUS variants
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full control of industrial PLCs, allowing them to download malicious programs that could disrupt physical processes, cause equipment damage, or create safety hazards in industrial environments.
Likely Case
Unauthorized access to PLCs enabling program modification, data theft, or disruption of industrial operations by attackers with network access to affected devices.
If Mitigated
Limited impact with proper network segmentation, access controls, and monitoring preventing unauthorized access to industrial control networks.
🎯 Exploit Status
Exploitation requires TIA Portal V13 or later and network access to the PLC. The vulnerability is an authentication bypass, making exploitation straightforward for attackers with the right tools.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Provision with TIA Portal V13 SP1 or later
Vendor Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-830194.pdf
Restart Required: Yes
Instructions:
1. Update TIA Portal to V13 SP1 or later. 2. Reprovision affected PLCs using the updated TIA Portal. 3. Restart PLCs to apply changes.
🔧 Temporary Workarounds
Network Segmentation
allIsolate PLCs from untrusted networks using firewalls and VLANs
Access Control Lists
allRestrict network access to PLCs to authorized engineering stations only
🧯 If You Can't Patch
- Implement strict network segmentation to isolate PLCs from all untrusted networks
- Monitor network traffic to PLCs for unauthorized access attempts and program downloads
🔍 How to Verify
Check if Vulnerable:
Check if PLC was provisioned using TIA Portal V13 (not SP1 or later) by reviewing provisioning records or checking TIA Portal version history.Check Version:
Check PLC firmware version via TIA Portal or web interfaceVerify Fix Applied:
Verify PLC was reprovisioned using TIA Portal V13 SP1 or later and test authentication requirements for program downloads.📡 Detection & Monitoring
Log Indicators:
- Unauthorized program download attempts
- Authentication bypass events
- Connection attempts from unauthorized TIA Portal instances
Network Indicators:
- Unexpected S7 communications to PLCs
- Program download traffic from unauthorized sources
SIEM Query:
Search for S7 protocol traffic to PLCs from unauthorized source IPs or outside expected engineering workstations