CVE-2019-25580 – ownDMS 4.7 SQL Injection via pdfstream.php imagestream.php

Immediately isolate any affected SIMATIC S7-1200 or S7-1500 PLCs from untrusted networks. This may involve physically disconnecting network cables or applying temporary firewall rules at the network perimeter of the ICS zone.
Monitor the operational status of all potentially affected PLCs for unexpected behavior such as transitioning to DEFECT mode, STOP mode, loss of communication, or unscheduled restarts.
If a Denial of Service (DoS) event is suspected or confirmed, perform a controlled restart of the affected PLC. This can typically be done via a power cycle or through the TIA Portal software if accessible.
Back up the current PLC project and configuration files to ensure a recovery point is available before proceeding with any updates or extensive changes.

2. PATCH AND UPDATE INFORMATION

Siemens has released firmware updates to address this Denial of Service vulnerability.
For SIMATIC S7-1200 CPUs, update the firmware to version V4.4.0 or later.
For SIMATIC S7-1500 CPUs, update the firmware to version V2.8.0 or later.
Refer to the official Siemens Security Advisory SSA-726240 for detailed information, specific download links, and instructions on how to perform the firmware updates. This advisory is the authoritative source for patch details.
Firmware updates should be performed using the TIA Portal software. Ensure that the TIA Portal version is compatible with the target PLC firmware and that all necessary project files are backed up prior to commencing the update process. Test the update in a non-production environment first, if possible, to verify functionality and stability.

3. MITIGATION STRATEGIES

Network Segmentation: Implement strict network segmentation to isolate the Industrial Control System (ICS) network where PLCs reside from the corporate IT network and the internet. Utilize firewalls and industrial demilitarized zones (IDMZ) to control traffic flow.
Firewall Rules: Configure firewalls to restrict communication to and from PLCs. Only allow necessary protocols (e.g., S7 Communication, PROFINET) from authorized management workstations, HMI/SCADA systems, and engineering stations. Block all other inbound and outbound traffic to the PLC network.
Secure Remote Access: If remote access to PLCs is required, enforce the use of strong Virtual Private Networks (VPNs) with multi-factor authentication (MFA). Avoid direct exposure of PLCs to public networks.
Disable Unused Services: Review PLC configurations and disable any services, ports, or protocols that are not essential for their operational function. This reduces the attack surface.
Access Control: Implement robust access control lists (ACLs) on network switches and routers within the ICS network to ensure that only authorized devices can communicate with the PLCs.

4. DETECTION METHODS

PLC Status Monitoring: Implement continuous monitoring of PLC operational status. Look for unexpected transitions to STOP mode, DEFECT mode, or communication loss alarms reported by SCADA/HMI systems.
Network Traffic Analysis: Utilize Network Intrusion Detection Systems (NIDS) or Industrial Anomaly Detection (IAD) solutions to monitor traffic to and from PLCs for unusual patterns, high volumes of traffic, or malformed packets originating from unauthorized IP addresses. Deep Packet Inspection (DPI) for ICS protocols can help identify malicious payloads.
System Logs and Events: If available, monitor PLC system logs or logs from connected network devices (e.g., managed switches, firewalls) for error messages, communication failures, or unexpected system reboots that could indicate a DoS