CVE-2021-37204

Q: What is the severity of CVE-2021-37204?

CVE-2021-37204 has a CVSS score of 7.5 (HIGH). An unauthenticated attacker can cause denial-of-service on Siemens SIMATIC industrial control systems by sending specially crafted packets to port 102/TCP. This affects multiple PLC and controller families including S7-1200, S7-1500, ET 200SP, and Drive Controllers. The device requires a restart to restore normal operations.

7.5 HIGH

Denial of Service

📋 TL;DR

An unauthenticated attacker can cause denial-of-service on Siemens SIMATIC industrial control systems by sending specially crafted packets to port 102/TCP. This affects multiple PLC and controller families including S7-1200, S7-1500, ET 200SP, and Drive Controllers. The device requires a restart to restore normal operations.

💻 Affected Systems

Products:

SIMATIC Drive Controller family
SIMATIC ET 200SP Open Controller CPU 1515SP PC
SIMATIC ET 200SP Open Controller CPU 1515SP PC2
SIMATIC ET 200SP Open Controller CPU 1515SP PC2 Ready4Linux
SIMATIC S7-1200 CPU family
SIMATIC S7-1500 CPU family
SIMATIC S7-1500 Software Controller
SIMATIC S7-PLCSIM Advanced
SIPLUS TIM 1531 IRC
TIM 1531 IRC

Versions: Multiple version ranges as specified in CVE description, generally versions before V2.9.4, V21.9.4, V4.5.2, or V4.0 SP1 depending on product

Operating Systems: Not applicable - embedded industrial controllers

Default Config Vulnerable: ⚠️ Yes

Notes: All affected devices with default configurations listening on port 102/TCP are vulnerable. SIPLUS variants (extended temperature/ruggedized) are also affected.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Critical industrial processes are disrupted, causing production downtime, safety hazards, or equipment damage requiring physical intervention to restart affected PLCs.

🟠

Likely Case

Temporary disruption of industrial automation processes until affected devices can be manually restarted, causing production delays.

🟢

If Mitigated

Limited impact if devices are behind firewalls with restricted network access and proper segmentation from untrusted networks.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted packets to port 102/TCP, which is the standard Siemens S7 communication port. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: V2.9.4, V21.9.4, V4.5.2, V4.0 SP1, V2.3.6 or later depending on product family

Vendor Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-838121.pdf

Restart Required: Yes

Instructions:

1. Download appropriate firmware updates from Siemens Industry Online Support. 2. Backup current configuration. 3. Apply firmware update using TIA Portal or appropriate programming software. 4. Restart device. 5. Verify firmware version and restore configuration if needed.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict access to port 102/TCP using firewalls to only trusted engineering stations and authorized networks

Disable Unnecessary Services

all

If not required, disable S7 communication services or restrict to specific interfaces

🧯 If You Can't Patch

Implement strict network segmentation with firewall rules blocking port 102/TCP from untrusted networks
Deploy intrusion detection systems monitoring for anomalous traffic patterns on port 102/TCP

🔍 How to Verify

Check if Vulnerable:

Check device firmware version against affected ranges in Siemens advisory SSA-838121

Check Version:

Use TIA Portal or device web interface to check firmware version. Command varies by product: For S7-1500: Use TIA Portal Project > Online & Diagnostics > Online access > Firmware

Verify Fix Applied:

Verify firmware version is updated to patched versions: V2.9.4+, V21.9.4+, V4.5.2+, V4.0 SP1+, or V2.3.6+ depending on product

📡 Detection & Monitoring

Log Indicators:

Device restart logs without normal shutdown
Communication errors on port 102/TCP
PLC going to STOP mode unexpectedly

Network Indicators:

Unusual traffic patterns to port 102/TCP from unauthorized sources
Malformed S7 packets
Multiple connection attempts to port 102

SIEM Query:

source_port:102 AND (packet_size:<100 OR packet_size:>1500) OR dest_port:102 AND protocol:TCP AND (bytes_sent:>1000 OR connection_duration:<1s)

📊 Metadata

CVE ID: CVE-2021-37204

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-672

Published: February 9, 2022

Last Updated: November 21, 2024

🔗 References

https://cert-portal.siemens.com/productcert/pdf/ssa-838121.pdf Patch,Vendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-838121.pdf Patch,Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Simatic Drive Controller Cpu 1504d Tf Firmware by Siemens

Simatic Drive Controller Cpu 1507d Tf Firmware by Siemens

Simatic Et 200sp Open Controller Cpu 1515sp Pc2 Firmware by Siemens

Simatic S7 1200 Cpu 1211c Firmware by Siemens

Simatic S7 1200 Cpu 1212c Firmware by Siemens

Simatic S7 1200 Cpu 1212fc Firmware by Siemens

Simatic S7 1200 Cpu 1214c Firmware by Siemens

Simatic S7 1200 Cpu 1214fc Firmware by Siemens

Simatic S7 1200 Cpu 1215c Firmware by Siemens

Simatic S7 1200 Cpu 1215fc Firmware by Siemens

Simatic S7 1200 Cpu 1217c Firmware by Siemens

Simatic S7 1500 Cpu 1510sp 1 Firmware by Siemens

Simatic S7 1500 Cpu 1510sp Firmware by Siemens

Simatic S7 1500 Cpu 1511 1 Firmware by Siemens

Simatic S7 1500 Cpu 1511c 1 Firmware by Siemens

Simatic S7 1500 Cpu 1511f 1 Firmware by Siemens

Simatic S7 1500 Cpu 1511t 1 Firmware by Siemens

Simatic S7 1500 Cpu 1511tf 1 Firmware by Siemens

Simatic S7 1500 Cpu 1512c 1 Firmware by Siemens

Simatic S7 1500 Cpu 1512sp 1 Firmware by Siemens

Simatic S7 1500 Cpu 1512spf 1 Firmware by Siemens

Simatic S7 1500 Cpu 1513 1 Firmware by Siemens

Simatic S7 1500 Cpu 1513f 1 Firmware by Siemens

Simatic S7 1500 Cpu 1513r 1 Firmware by Siemens

Simatic S7 1500 Cpu 1515 2 Firmware by Siemens

Simatic S7 1500 Cpu 1515f 2 Firmware by Siemens

Simatic S7 1500 Cpu 1515r 2 Firmware by Siemens

Simatic S7 1500 Cpu 1515t 2 Firmware by Siemens

Simatic S7 1500 Cpu 1515tf 2 Firmware by Siemens

Simatic S7 1500 Cpu 1516 3 Firmware by Siemens

Simatic S7 1500 Cpu 1516f 3 Firmware by Siemens

Simatic S7 1500 Cpu 1516pro 2 Firmware by Siemens

Simatic S7 1500 Cpu 1516pro F Firmware by Siemens

Simatic S7 1500 Cpu 1516t 3 Firmware by Siemens

Simatic S7 1500 Cpu 1516tf 3 Firmware by Siemens

Simatic S7 1500 Cpu 1517 3 Firmware by Siemens

Simatic S7 1500 Cpu 1517f 3 Firmware by Siemens

Simatic S7 1500 Cpu 1517tf 3 Firmware by Siemens

Simatic S7 1500 Cpu 1518 4 Firmware by Siemens

Simatic S7 1500 Cpu 1518f 4 Firmware by Siemens

Simatic S7 1500 Cpu 1518hf 4 Firmware by Siemens

Simatic S7 1500 Cpu 1518t 4 Firmware by Siemens

Simatic S7 1500 Cpu 1518tf 4 Firmware by Siemens

Simatic S7 1500 Cpu Cpu 1513pro 2 Firmware by Siemens

Simatic S7 1500 Cpu Cpu 1513prof 2 Firmware by Siemens

Simatic S7 1500 Software Controller by Siemens

Simatic S7 Plcsim Advanced Firmware by Siemens