Siemens PROFINET-IO Stack (Update H)

Plan Patch7.5ICS-CERT ICSA-20-042-04Feb 11, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A denial of service vulnerability exists in Siemens PROFINET-IO stack versions prior to v6.0 when multiple legitimate diagnostic requests are sent to the DCE-RPC interface. An attacker can send crafted packets to port 34964/UDP, exhausting device resources and causing the device to stop responding. The vulnerability affects a broad range of industrial network devices including SCALANCE switches, SIMATIC control interfaces, ET200 series modules, and SIMOTION motion controllers. Service is restored only by manual device reboot or intervention. Siemens has released firmware updates for most affected product families; however, some older products including CP 343-1 series, ET200ecoPN, ET200S, and RF180/182C have no fix planned.

What this means

What could happen

An attacker can send specially crafted diagnostic packets to PROFINET devices over the network, causing them to stop responding and disrupting industrial processes like transit control systems, water treatment, or power distribution. Service can be restored only by manual intervention or device reboot.

Who's at risk

Transportation authorities and other operators using Siemens SCALANCE industrial switches, SIMATIC control modules, and SIMOTION motion controllers are affected. The vulnerability impacts any industrial network using PROFINET protocol for device communication in rail transit, subways, and infrastructure control systems. Devices in water treatment, power distribution, and manufacturing are also at risk.

How it could be exploited

An attacker on the network (or with network access to port 34964/UDP) sends multiple legitimate diagnostic requests to the DCE-RPC interface on affected PROFINET devices. This exhausts device resources and triggers a denial of service, making the device unresponsive to normal PROFINET I/O traffic. No authentication is required.

Prerequisites

Network access to affected device on port 34964/UDP
PROFINET stack enabled on the device (default)
No authentication required

remotely exploitableno authentication requiredlow complexityaffects critical infrastructureaffects multiple device familiesno fix available for some products

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (169)

135 with fix34 pending

ProductAffected VersionsFix Status

SCALANCE X307-2 EEC (230V, coated)<V4.1.44.1.4

SCALANCE X307-2 EEC (230V)<V4.1.44.1.4

SCALANCE X307-2 EEC (24V, coated)<V4.1.44.1.4

SCALANCE X307-2 EEC (24V)<V4.1.44.1.4

SCALANCE X307-2 EEC (2x 230V, coated)<V4.1.44.1.4

Remediation & Mitigation

0/22

Do now

0/2

WORKAROUNDBlock incoming DCE-RPC packets (port 34964/UDP) from untrusted networks using firewall rules

WORKAROUNDDisable PROFINET on devices where it is optional and not used in your environment

Schedule — requires maintenance window

0/18

Patching may require device reboot — plan for process interruption

Long-term hardening

0/2

HARDENINGImplement network segmentation to isolate control system networks from the business network

HARDENINGRestrict network access to PROFINET devices using firewall rules and access control lists

CVEs (1)

CVE-2019-13946

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close