Siemens SIMATIC S7-400 PN CPU DoS
Low RiskICS-CERT ICSA-12-212-02May 3, 2012
Summary
The S7-400 PN CPU family contains a denial of service vulnerability in the PROFINET interface. A remote attacker can send specially crafted packets that cause the CPU to crash and require manual restart. The vulnerability affects S7-400 firmware versions 6.0.1 and 6.0.2, as well as all versions of the CPU 412-2 PN, CPU 414-3 PN/DP, CPU 414F-3 PN/DP, CPU 416-3 PN/DP, and CPU 416F-3 PN models. No vendor patch is available.
What this means
What could happen
A remote attacker can crash S7-400 PN CPUs by sending specially crafted packets, causing a denial of service that interrupts process control until the device is manually rebooted.
Who's at risk
Water utilities and electric utilities operating Siemens S7-400 PN CPUs for process automation and control should be concerned. This affects all versions of CPU 412-2 PN, CPU 414-3 PN/DP, CPU 414F-3 PN/DP, CPU 416-3 PN/DP, and CPU 416F-3 PN. Any facility using these controllers for pump stations, valve control, or generation systems is at risk of unplanned outages.
How it could be exploited
An attacker with network access to the PROFINET interface can send malformed packets to the CPU. The device fails to validate the packet structure and crashes, halting all controlled processes.
Prerequisites
- Network access to PROFINET port 161 on the S7-400 PN CPU
- Ability to craft and send raw PROFINET packets
Remotely exploitableNo patch availableAffects PLCs in critical infrastructureNo authentication required for PROFINET communication
Exploitability
Low exploit probability (EPSS 0.9%)
Affected products (6)
6 EOL
ProductAffected VersionsFix Status
CPU 412-2 PN (6ES7412-2EK06-0AB0): vers:all/*All versionsNo fix (EOL)
CPU 414-3 PN/DP (6ES7414-3EM06-0AB0): vers:all/*All versionsNo fix (EOL)
CPU 414F-3 PN/DP (6ES7414-3FM06-0AB0): vers:all/*All versionsNo fix (EOL)
CPU 416-3 PN/DP (6ES7416-3ES06-0AB0): vers:all/*All versionsNo fix (EOL)
CPU 416F-3 PN (6ES7416-3FS06-0AB0): vers:all/*All versionsNo fix (EOL)
S7-400 CPU family: 6.0.1|6.0.26.0.1|6.0.2No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/1HARDENINGRestrict network access to PROFINET ports on S7-400 PN CPUs using firewall rules or industrial switches. Only allow communication from trusted engineering workstations and SCADA systems.
Mitigations - no patch available
0/3The following products have reached End of Life with no planned fix: CPU 412-2 PN (6ES7412-2EK06-0AB0): vers:all/*, CPU 414-3 PN/DP (6ES7414-3EM06-0AB0): vers:all/*, CPU 414F-3 PN/DP (6ES7414-3FM06-0AB0): vers:all/*, CPU 416-3 PN/DP (6ES7416-3ES06-0AB0): vers:all/*, CPU 416F-3 PN (6ES7416-3FS06-0AB0): vers:all/*, S7-400 CPU family: 6.0.1|6.0.2. Apply the following compensating controls:
HARDENINGSegment the CPU on a dedicated PROFINET network separate from corporate IT or untrusted networks.
HARDENINGMonitor PROFINET traffic for malformed packets or unusual communication patterns.
HARDENINGImplement redundancy so that a CPU crash does not stop critical operations—use standby PLCs or failover controllers.
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/4b7f5190-edd3-4b0b-975b-fed6ba928897