CVE-2021-37185

Q: How do I fix CVE-2021-37185?

1. Download firmware updates from Siemens Industrial Security. 2. Backup PLC programs. 3. Apply firmware updates following Siemens documentation. 4. Restart affected devices. 5. Verify normal operation.

Q: What is the severity of CVE-2021-37185?

CVE-2021-37185 has a CVSS score of 7.5 (HIGH). This vulnerability allows unauthenticated attackers to cause denial-of-service conditions in Siemens industrial control systems by sending specially crafted packets to port 102/tcp. Affected systems include multiple SIMATIC PLC families and related controllers. A device restart is required to restore normal operations after exploitation.

7.5 HIGH

Denial of Service

📋 TL;DR

This vulnerability allows unauthenticated attackers to cause denial-of-service conditions in Siemens industrial control systems by sending specially crafted packets to port 102/tcp. Affected systems include multiple SIMATIC PLC families and related controllers. A device restart is required to restore normal operations after exploitation.

💻 Affected Systems

Products:

SIMATIC Drive Controller family
SIMATIC ET 200SP Open Controller CPU 1515SP PC2
SIMATIC S7-1200 CPU family
SIMATIC S7-1500 CPU family
SIMATIC S7-1500 Software Controller
SIMATIC S7-PLCSIM Advanced
SIPLUS TIM 1531 IRC
TIM 1531 IRC

Versions: V2.9.2 to V2.9.4, V21.9 to V21.9.4, V4.5.0 to V4.5.2, V4.0 to V4.0 SP1, versions < V2.3.6

Operating Systems: Industrial control system firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Port 102/tcp (ISO-TSAP) is typically open by default for Siemens S7 communication. All affected versions in the specified ranges are vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Critical industrial processes are disrupted, causing production downtime, safety hazards, or equipment damage requiring physical intervention to restart affected PLCs.

🟠

Likely Case

Temporary disruption of industrial automation processes until affected devices can be manually restarted, causing production delays.

🟢

If Mitigated

Minimal impact if devices are properly segmented and protected from untrusted networks, with monitoring to detect and respond to DoS attempts.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation via port 102/tcp makes internet-exposed devices extremely vulnerable.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could still exploit this, but network segmentation reduces exposure.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires sending specially crafted packets to port 102/tcp, which is relatively simple for attackers with network access to the target.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: V2.9.4, V21.9.4, V4.5.2, V4.0 SP1, V2.3.6

Vendor Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-838121.pdf

Restart Required: Yes

Instructions:

1. Download firmware updates from Siemens Industrial Security. 2. Backup PLC programs. 3. Apply firmware updates following Siemens documentation. 4. Restart affected devices. 5. Verify normal operation.

🔧 Temporary Workarounds

Network segmentation and firewall rules

all

Restrict access to port 102/tcp to only trusted management stations and engineering workstations.

Disable unnecessary services

all

If ISO-TSAP service on port 102 is not required, disable it in PLC configuration.

🧯 If You Can't Patch

Implement strict network segmentation to isolate PLCs from untrusted networks
Deploy intrusion detection systems to monitor for DoS attempts on port 102/tcp

🔍 How to Verify

Check if Vulnerable:

Check device firmware version against affected ranges. Use Siemens TIA Portal or device web interface to view version information.

Check Version:

No universal command - use Siemens TIA Portal, device web interface, or STEP 7 software to check firmware versions.

Verify Fix Applied:

Confirm firmware version is updated to patched versions: V2.9.4+, V21.9.4+, V4.5.2+, V4.0 SP1+, V2.3.6+.

📡 Detection & Monitoring

Log Indicators:

PLC restart events
Communication errors on port 102
Device going to STOP mode unexpectedly

Network Indicators:

Unusual traffic patterns to port 102/tcp
Malformed packets to port 102
Multiple connection attempts from single sources

SIEM Query:

source_port:102 AND (packet_size:<100 OR packet_size:>1500) OR dest_port:102 AND protocol:TCP AND event_count:>10 within 1m

📊 Metadata

CVE ID: CVE-2021-37185

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-672

Published: February 9, 2022

Last Updated: November 21, 2024

🔗 References

https://cert-portal.siemens.com/productcert/pdf/ssa-838121.pdf Patch,Vendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-838121.pdf Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Simatic Drive Controller Cpu 1504d Tf Firmware by Siemens

Simatic Drive Controller Cpu 1507d Tf Firmware by Siemens

Simatic Et 200sp Open Controller Cpu 1515sp Pc2 Firmware by Siemens

Simatic S7 1200 Cpu 1211c Firmware by Siemens

Simatic S7 1200 Cpu 1212c Firmware by Siemens

Simatic S7 1200 Cpu 1212fc Firmware by Siemens

Simatic S7 1200 Cpu 1214c Firmware by Siemens

Simatic S7 1200 Cpu 1214fc Firmware by Siemens

Simatic S7 1200 Cpu 1215c Firmware by Siemens

Simatic S7 1200 Cpu 1215fc Firmware by Siemens

Simatic S7 1200 Cpu 1217c Firmware by Siemens

Simatic S7 1500 Cpu 1510sp 1 Firmware by Siemens

Simatic S7 1500 Cpu 1510sp Firmware by Siemens

Simatic S7 1500 Cpu 1511 1 Firmware by Siemens

Simatic S7 1500 Cpu 1511c 1 Firmware by Siemens

Simatic S7 1500 Cpu 1511f 1 Firmware by Siemens

Simatic S7 1500 Cpu 1511t 1 Firmware by Siemens

Simatic S7 1500 Cpu 1511tf 1 Firmware by Siemens

Simatic S7 1500 Cpu 1512c 1 Firmware by Siemens

Simatic S7 1500 Cpu 1512sp 1 Firmware by Siemens

Simatic S7 1500 Cpu 1512spf 1 Firmware by Siemens

Simatic S7 1500 Cpu 1513 1 Firmware by Siemens

Simatic S7 1500 Cpu 1513f 1 Firmware by Siemens

Simatic S7 1500 Cpu 1513r 1 Firmware by Siemens

Simatic S7 1500 Cpu 1515 2 Firmware by Siemens

Simatic S7 1500 Cpu 1515f 2 Firmware by Siemens

Simatic S7 1500 Cpu 1515r 2 Firmware by Siemens

Simatic S7 1500 Cpu 1515t 2 Firmware by Siemens

Simatic S7 1500 Cpu 1515tf 2 Firmware by Siemens

Simatic S7 1500 Cpu 1516 3 Firmware by Siemens

Simatic S7 1500 Cpu 1516f 3 Firmware by Siemens

Simatic S7 1500 Cpu 1516pro 2 Firmware by Siemens

Simatic S7 1500 Cpu 1516pro F Firmware by Siemens

Simatic S7 1500 Cpu 1516t 3 Firmware by Siemens

Simatic S7 1500 Cpu 1516tf 3 Firmware by Siemens

Simatic S7 1500 Cpu 1517 3 Firmware by Siemens

Simatic S7 1500 Cpu 1517f 3 Firmware by Siemens

Simatic S7 1500 Cpu 1517tf 3 Firmware by Siemens

Simatic S7 1500 Cpu 1518 4 Firmware by Siemens

Simatic S7 1500 Cpu 1518f 4 Firmware by Siemens

Simatic S7 1500 Cpu 1518hf 4 Firmware by Siemens

Simatic S7 1500 Cpu 1518t 4 Firmware by Siemens

Simatic S7 1500 Cpu 1518tf 4 Firmware by Siemens

Simatic S7 1500 Cpu Cpu 1513pro 2 Firmware by Siemens

Simatic S7 1500 Cpu Cpu 1513prof 2 Firmware by Siemens

Simatic S7 1500 Software Controller by Siemens

Simatic S7 Plcsim Advanced Firmware by Siemens