Siemens PROFINET Devices (Update K)
Plan Patch7.5ICS-CERT ICSA-19-283-02Oct 8, 2019
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A vulnerability in Siemens PROFINET devices allows an attacker to perform a denial of service (DoS) attack by sending a large amount of specially crafted UDP packets to the device. The vulnerability affects a wide range of SIMATIC S7 controllers, SINAMICS drive systems, ET 200 distributed I/O modules, and related PROFINET-enabled devices across multiple product families and versions.
What this means
What could happen
An attacker with network access to affected PROFINET devices can cause them to become unresponsive by flooding them with malformed UDP traffic, disrupting process operations and stopping production or utility delivery until the device is manually restarted.
Who's at risk
Manufacturing plants and transportation systems using Siemens PROFINET-enabled controllers and distributed I/O should be concerned. This includes facilities with SIMATIC S7 PLCs (models 300, 400, 1200, 1500), SINAMICS motor drives (G110M, G120, G130, G150, S110, S120, S150 series), SINUMERIK CNC machines (828D, 840D), and ET 200 distributed I/O terminal modules. Organizations with these devices in production environments face operational disruption risk.
How it could be exploited
An attacker sends specially crafted UDP packets across the network to the PROFINET interface of a vulnerable device. The malformed packets cause the device to become unresponsive, triggering a denial of service condition. The attack does not require credentials or special network position beyond basic network connectivity to the device.
Prerequisites
- Network connectivity to affected PROFINET device on its network interface
- Ability to send UDP packets to the device
remotely exploitableno authentication requiredlow complexityaffects production availabilityvery large attack surface - affects dozens of product linesmany products have no fix available
Exploitability
Moderate exploit probability (EPSS 2.0%)
Affected products (106)
66 with fix40 pending
ProductAffected VersionsFix Status
SIMATIC S7-300 CPU 317F-2 PN/DP<V3.2.173.2.17
SIMATIC S7-300 CPU 317T-3 PN/DP<V3.2.173.2.17
SIMATIC S7-300 CPU 317TF-3 PN/DP<V3.2.173.2.17
SIMATIC S7-300 CPU 319-3 PN/DP<V3.2.173.2.17
SIMATIC S7-300 CPU 319F-3 PN/DP<V3.2.173.2.17
Remediation & Mitigation
0/14
Do now
0/1WORKAROUNDRestrict network access to PROFINET devices using firewall rules to allow only authorized access
Schedule — requires maintenance window
0/10Patching may require device reboot — plan for process interruption
SIMATIC S7-1500 Software Controller
HOTFIXUpdate SIMATIC S7-1500 Software Controller to v2.0 or later
SINUMERIK 828D
HOTFIXUpdate SINUMERIK 828D to v4.8 SP5 or later
SINUMERIK 840D sl
HOTFIXUpdate SINUMERIK 840D sl to v4.8 SP6 or later
All products
HOTFIXUpdate SIMATIC S7-300 CPU family to v3.2.17 or later
HOTFIXUpdate SIMATIC S7-400 CPU 412-2 PN and 414/416 series to v7.0.3 or later
HOTFIXUpdate SIMATIC S7-400 H V6 CPU family to v6.0.9 or later
HOTFIXUpdate SIMATIC S7-410 V8 CPU family to v8.2.2 or later
HOTFIXUpdate SIMATIC S7-1200 CPU family to v4.4.0 or later
HOTFIXUpdate ET 200 distributed I/O modules to their respective fixed versions as listed
HOTFIXUpdate SINAMICS drive controllers to their respective fixed versions
Long-term hardening
0/3HARDENINGIsolate PROFINET control system networks from the business network using air gap or firewall segmentation
HARDENINGEnsure PROFINET devices are not directly accessible from the internet
HARDENINGConfigure network environment according to Siemens operational guidelines for industrial security
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/0c5df9ff-9b83-4fee-97f4-4d444757becb