Security News > 2021 > May > A New Bug in Siemens PLCs Could Let Hackers Run Malicious Code Remotely
Siemens on Friday shipped firmware updates to address a severe vulnerability in SIMATIC S7-1200 and S7-1500 programmable logic controllers that could be exploited by a malicious actor to remotely gain access to protected areas of the memory and achieve unrestricted and undetected code execution, in what the researchers describe as an attacker's "Holy grail."
In an advisory issued by Siemens, the German industrial automation firm said an unauthenticated, remote attacker with network access to TCP port 102 could potentially write arbitrary data and code to protected memory areas or read sensitive data to launch further attacks.
"These complex systems have numerous in-memory protections that would have to be hurdled in order for an attacker to not only run code of their choice, but also remain undetected."
Not only does the new flaw allow an adversary to gain native code execution on Siemens S7 PLCs, but the sophisticated remote attack also avoids detection by the underlying operating system or any diagnostic software by escaping the user sandbox to write arbitrary data and code directly into protected memory regions.
This is far from the first time unauthorized code execution has been achieved on Siemens PLCs. In 2010, the infamous Stuxnet worm leveraged multiple flaws in Windows to reprogram industrial control systems by modifying code on Siemens PLCs for cyber espionage and covert sabotage.
Researchers demonstrated a new class of attacks called "Rogue7" that exploited vulnerabilities in its proprietary S7 communication protocol to "Create a rogue engineering station which can masquerade as the TIA to the PLC and inject any messages favourable to the attacker."