In our laboratory we were able to identify and reproduce a vulnerability which enables the construction and delivery of Modbus protocol frames to the PLC, generating an absolute denial of service in the equipment.
AFFECTED PRODUCTS AND THE SOLUTION
|Affected Product and Versions||Remediation|
|SIMATIC S7-200 SMART CPU family:||Update to V2.5.1|
|All versions >= V2.2 < V2.5.1||https://support.industry.siemens.com/cs/ww/en/view/109765009/|
note: The S7-200 SMART series is a line of micro-programmable logic controllers that can control a variety of small automation applications.
In order to reproduce the vulnerability, it is necessary to create and send a valid Modbus frame to the PLC, making sure that the value of the "length" field is greater than the actual length of the frame sent.
The SID ("Slave ID") field must be valid
The field reserved for the function can be any (regardless if it is implemented)
2020-03-20 - Discovery
2020-03-21 - Vendor Disclosure
2020-07-14 - Publication Date