ICSA-17-129-01 Siemens devices using the PROFINET Discovery and Configuration Protocol (Update K)
Monitor6.5ICS-CERT ICSA-17-129-01May 8, 2017
Attack VectorAdjacent
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A vulnerability in the PROFINET Discovery and Configuration Protocol implementation in multiple Siemens products allows an attacker on the local network to send malformed packets that cause affected devices to stop responding or malfunction. The vulnerability stems from improper input validation (CWE-20) in PROFINET protocol handlers. Affected products include SIMATIC PCS 7, STEP 7 (TIA Portal and V5.X), WinCC (multiple versions), Primary Setup Tool, SIMATIC Automation Tool, SINUMERIK 808D Programming Tool, SINEMA Server, and other engineering and runtime tools. The impact is denial of service to automation and control functions. Most affected products have patches available; however, SIMATIC PCS 7 V8.1 and earlier, WinCC V7.2 and earlier, and several other end-of-life products have no remediation planned by Siemens.
What this means
What could happen
An attacker on the local network can cause PROFINET-enabled Siemens devices to stop responding or malfunction by sending specially crafted discovery and configuration packets, disrupting automation and control systems until the device is restarted.
Who's at risk
Water authorities and electric utilities using Siemens PROFINET-based automation systems should be concerned. This affects engineering workstations running STEP 7, WinCC, or related configuration tools; programmable logic controllers (PLCs) using PROFINET; human-machine interfaces (HMIs); and networked automation devices. Specific equipment includes SIMATIC PCS 7 control systems, distributed I/O modules, SINUMERIK industrial controllers, and any device that implements the PROFINET Discovery and Configuration Protocol.
How it could be exploited
An attacker with access to the local network sends malformed PROFINET Discovery and Configuration Protocol packets to a Siemens device. The device fails to properly validate the packet contents and crashes or stops responding to legitimate commands, causing a denial of service to automation and engineering workstations that depend on it.
Prerequisites
- Attacker must be on the same local network segment (adjacent network) as the Siemens device
- PROFINET Discovery and Configuration Protocol (typically UDP port 34964) must be accessible from the attacker's position
- Device must be running one of the affected Siemens software or hardware products
Remotely exploitable over local networkLow complexity attackNo authentication requiredAffects denial of service (availability)Widespread impact across Siemens automation product lineMany products have no patch available (end-of-life)
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (21)
21 pending
ProductAffected VersionsFix Status
Primary Setup Tool (PST)<V4.2 HF1No fix yet
SIMATIC Automation Tool<V3.0No fix yet
SIMATIC NET PC-Software<V14 SP1No fix yet
SIMATIC PCS 7 V8.1 and earlier versionsAll versionsNo fix yet
SIMATIC PCS 7 V8.2<V8.2 SP1No fix yet
Remediation & Mitigation
0/20
Do now
0/1WORKAROUNDDeploy firewall rules to block unauthorized access to PROFINET Discovery and Configuration Protocol ports (UDP 34964) from untrusted network segments
Schedule — requires maintenance window
0/18Patching may require device reboot — plan for process interruption
Primary Setup Tool (PST)
HOTFIXUpdate Primary Setup Tool (PST) to V4.2 HF1 or later
SIMATIC Automation Tool
HOTFIXUpdate SIMATIC Automation Tool to V3.0 or later
SIMATIC NET PC-Software
HOTFIXUpdate SIMATIC NET PC-Software to V14 SP1 or later
SIMATIC STEP 7 (TIA Portal) V13
HOTFIXUpdate SIMATIC STEP 7 (TIA Portal) V13 to V13 SP2 or later
HOTFIXUpdate SIMATIC STEP 7 (TIA Portal) V14 to V14 SP1 or later
HOTFIXUpdate SIMATIC WinCC (TIA Portal) V13 to V13 SP2 or later
HOTFIXUpdate SIMATIC WinCC (TIA Portal) V14 to V14 SP1 or later
SIMATIC STEP 7 V5.X
HOTFIXUpdate SIMATIC STEP 7 V5.X to V5.6 or later
SIMATIC WinCC V7.3
HOTFIXUpdate SIMATIC WinCC V7.3 to V7.3 Update 15 or later
SIMATIC WinCC V7.4
HOTFIXUpdate SIMATIC WinCC V7.4 to V7.4 SP1 Update 1 or later
SIMATIC WinCC flexible 2008
HOTFIXUpdate SIMATIC WinCC flexible 2008 to SP5 or later
SINEMA Server
HOTFIXUpdate SINEMA Server to V14 or later
SINUMERIK 808D Programming Tool
HOTFIXUpdate SINUMERIK 808D Programming Tool to V4.7 SP4 HF2 or later
SMART PC Access
HOTFIXUpdate SMART PC Access to V2.3 or later
STEP 7 - Micro/WIN SMART
HOTFIXUpdate STEP 7 - Micro/WIN SMART to V2.3 or later
Security Configuration Tool (SCT)
HOTFIXUpdate Security Configuration Tool (SCT) to V5.0 or later
All products
HOTFIXUpdate SIMATIC PCS 7 to V8.2 SP1 or later (V8.1 and earlier have no patch available)
HOTFIXUpdate SIMATIC WinAC RTX (F) 2010 to SP3 or later
Long-term hardening
0/1HARDENINGImplement network segmentation to restrict PROFINET device access to trusted engineering workstations and automation network segments only
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/2f5e6eec-854f-41a0-a2a0-c5730dd8c712