OTPulse
FeedAboutContact

Siemens PROFINET Devices

Plan Patch7.5ICS-CERT ICSA-21-194-03Jul 13, 2021
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

A Denial of Service vulnerability exists in Siemens PROFINET-based industrial switches and controllers. When a large volume of PROFINET Discovery and Configuration Protocol (DCP) reset packets (Ethertype 0x8892) are sent to affected devices, they become unresponsive and cannot process legitimate communication. Vulnerable devices include the SCALANCE X, XB, XC, XF, XP, XR, XM switch families; SCALANCE W wireless series; SIMATIC S7-1200 CPUs; SIMATIC MV500/540/550/560 process modules; SIMOCODE proV Ethernet/IP and PROFINET variants; RUGGEDCOM RM1224 industrial routers; and various SIMATIC network communication modules. Siemens has released firmware updates for most affected products. For products where updates are not available (legacy SCALANCE W wireless models, SIMATIC CP 1604/1616/1626, SIMATIC IE/PB-LINK, DCP evaluation kits), network-level filtering and DCP disabling are recommended.

What this means
What could happen
An attacker sending a large volume of PROFINET Discovery and Configuration Protocol (DCP) reset packets can cause a denial of service (DoS), rendering affected industrial switches and controllers unable to process legitimate communication or maintain network connectivity.
Who's at risk
Industrial network operators using Siemens SCALANCE switches (X, XB, XC, XF, XP, XR, XM, W series) should be concerned. Also affected are SIMATIC controllers (S7-1200, MV500 family), SIMOCODE pro devices, and RUGGEDCOM industrial routers. Primary sectors: energy utilities, water/wastewater treatment, manufacturing, and any industrial facility relying on PROFINET-based process automation and control networks.
How it could be exploited
An attacker with network access to an affected Siemens SCALANCE or SIMATIC device can send a flood of DCP reset packets (Ethertype 0x8892, Frame-ID 0xfefe) to port 5353 or the device's network interface. This overwhelms the device's processing capacity, causing it to stop responding to management and operational traffic. No authentication is required; the attacker only needs to reach the device over the network.
Prerequisites
  • Network access to the affected device
  • Ability to send Ethernet frames with Ethertype 0x8892 (PROFINET DCP)
  • No credentials or prior access required
  • Device must have PROFINET enabled or discoverable (default state)
remotely exploitableno authentication requiredlow complexity attack (packet flooding)affects network availability and operationswide range of industrial control devices affectedsome products (older SCALANCE W and wireless models, CP 1604/1616/1626, etc.) have no fix available
Exploitability
Moderate exploit probability (EPSS 1.1%)
Affected products (249)
217 with fix32 pending
ProductAffected VersionsFix Status
SCALANCE XC216-3G PoE (54 V DC)< V4.34.3
SCALANCE XC216-4C< V4.34.3
SCALANCE XC216-4C G< V4.34.3
SCALANCE XC216-4C G (EIP Def.)< V4.34.3
SCALANCE XC216-4C G EEC< V4.34.3
Remediation & Mitigation
0/8
Do now
0/2
WORKAROUNDBlock incoming PROFINET DCP packets (Ethertype 0x8892, Frame-ID 0xfefe) at network edge firewalls and switches to prevent flooding attacks from untrusted networks or the Internet.
WORKAROUNDDisable PROFINET Discovery and Configuration Protocol (DCP) on affected devices if not required for normal operations.
Schedule — requires maintenance window
0/4

Patching may require device reboot — plan for process interruption

SCALANCE XP208 (Ethernet/IP)
HOTFIXUpdate SIMOCODE proV PROFINET devices to firmware v2.1.3 or later, and SIMOCODE proV Ethernet/IP devices to v1.1.3 or later.
All products
HOTFIXUpdate SCALANCE X, XB, XC, XF, XP, XR, XM, and W-series switches to their respective fixed versions (e.g., v4.3, v5.2.5, v6.3.1, v6.4, v3.0.0 depending on model).
HOTFIXUpdate SIMATIC S7-1200 CPU family to firmware v4.5 or later.
HOTFIXUpdate SIMATIC MV500/540/550/560 family to firmware v3.0 or later.
Long-term hardening
0/2
HARDENINGImplement network segmentation to isolate PROFINET-based industrial switches and controllers from untrusted networks.
HARDENINGRestrict management access to affected devices to authorized workstations only using firewall rules and access control lists.
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/e6e3bb8f-27bd-4575-9739-7572be58d5a3
Siemens PROFINET Devices | CVSS 7.5 - OTPulse