Denial of Service Vulnerabilities in PROFINET DCP Implementation of Industrial Products
Monitor6.5SSA-293562May 8, 2017
Attack VectorAdjacent
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Two vulnerabilities in the PROFINET DCP implementation allow an attacker with direct layer 2 network access to cause denial of service by sending malicious DCP discovery packets. Affected devices become unresponsive or crash. The attack requires no authentication and affects a wide range of Siemens industrial devices including PLCs, distributed I/O modules, industrial switches, drives, and HMI panels. PROFIBUS interfaces are not affected. Siemens has released patches for many products; however, several product lines are end-of-life with no fixes planned.
What this means
What could happen
An attacker on the same network segment (layer 2) can send specially crafted PROFINET DCP packets to cause these devices to become unresponsive, disrupting manufacturing or utility operations. This is a denial of service attack with no data breach or unauthorized control; devices will recover after the attack stops or they are rebooted.
Who's at risk
Any organization using Siemens PROFINET devices is affected, particularly in manufacturing and utilities. This includes PLC CPUs (S7-1200, S7-1500, S7-300, S7-400), distributed I/O modules (ET200 series), industrial switches (SCALANCE X, M, XM, XR series), communication modules (CP 1243, CP 1543, CP 343, CP 443 series), variable frequency drives (SINAMICS G/S/DCM series), and HMI devices. Development kits and fieldbus couplers also affected.
How it could be exploited
An attacker gains direct layer 2 network access (same Ethernet switch segment or VLAN) and sends malicious PROFINET DCP discovery packets. The device crashes or becomes unresponsive without any authentication required. No internet access needed; the attacker must be on your local network or have compromised an internal device.
Prerequisites
- Direct layer 2 network access to the affected device (same Ethernet segment or VLAN)
- No authentication or credentials required
- PROFINET DCP protocol enabled on the device (default on PROFINET-capable products)
Remotely exploitable from local network segmentNo authentication requiredLow attack complexityAffects critical devices: PLCs, I/O modules, and industrial switchesHigh attack surface: 100+ product variants affectedMany products with no fix available (end-of-life)
Exploitability
Moderate exploit probability (EPSS 2.3%)
Affected products (124)
90 with fix34 pending
ProductAffected VersionsFix Status
Development/Evaluation Kits for PROFINET IO: DK Standard Ethernet ControllerAll versions < V4.1.1 Patch044.1.1 Patch04 or newer
Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200All versions < V4.2.1 Patch034.2.1 Patch03 or newer
Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200PAll versions < V4.4.0 Patch014.4.0 Patch01 or newer
IE/AS-i Link PN IOAll versionsNo fix yet
IE/PB-Link (incl. SIPLUS NET variants)< V3.03.0
Remediation & Mitigation
0/4
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate affected Siemens SIMATIC, SCALANCE, SINAMICS, and other PROFINET-capable products to patched firmware versions listed in the advisory
Long-term hardening
0/3HARDENINGFor products with no fix available (ET200ecoPN series, ET200S, ET200pro, CP 1243-1 DNP3/IEC variants, and others), isolate these devices on a separate VLAN with access controls and monitor for abnormal network traffic
HARDENINGImplement network segmentation to restrict layer 2 (Ethernet) access to PROFINET devices. Limit direct access to these devices to authorized engineering workstations and controllers only
HARDENINGMonitor network traffic for PROFINET DCP packets originating from unexpected sources on your OT network
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/8c898b1a-20a3-4df2-b863-8e61f578945a