Denial of Service Vulnerability in SNMP Interface of Industrial Products

Plan Patch7.5SSA-346262Nov 23, 2017

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A denial of service vulnerability in the SNMP interface (port 161/UDP) affects numerous Siemens PROFINET-based industrial devices. An attacker can send specially crafted SNMP packets to crash or hang affected devices, interrupting I/O operations and process control. The vulnerability is present in development kits, distributed I/O modules (ET200 family), programmable controllers (S7 series), motion control systems (SIMOTION), frequency drives (SINAMICS), and other PROFINET-enabled devices. Siemens has released firmware patches for some product lines but no fixes are available for certain ET200 variants and S120 drive models.

What this means

What could happen

An attacker can remotely crash or freeze I/O modules and controllers by flooding port 161/UDP with malformed SNMP packets, causing loss of command communication with remote terminal units (RTUs), field sensors, and motor drives. This results in inability to monitor or control remote equipment, potential process shutdown, or loss of safety-critical signaling.

Who's at risk

This affects water utilities and municipal electric operators who use Siemens PROFINET-based remote I/O and distributed control systems. High-impact are sites running ET200ecoPN or ET200S modules for remote analog/digital input and output, S7-1500 or S7-300 PLCs as central controllers, SINAMICS motor drives for pump or compressor control, and SIMOTION motion controllers for treatment plant equipment. Many sites have deployed multiple affected devices without patches.

How it could be exploited

An attacker sends specially crafted SNMP requests to port 161/UDP on any affected device that is reachable from their network segment. The SNMP service crashes or enters a hung state, making the device unable to respond to legitimate control commands or send status updates back to the controller. The attack requires no authentication and can be repeated to maintain the denial of service.

Prerequisites

Network-reachable access to port 161/UDP on the affected device
No credentials or authentication required
Device must have SNMP service enabled (default in many PROFINET devices)

remotely exploitableno authentication requiredlow complexityhigh CVSS (7.5)no patch available for multiple product linesaffects critical distributed I/O and drive systems

Exploitability

Moderate exploit probability (EPSS 5.3%)

Affected products (78)

47 with fix31 pending

ProductAffected VersionsFix Status

SIMATIC ET 200AL IM 157-1 PN<V1.0.21.0.2

SIMATIC ET 200M (incl. SIPLUS variants)All versionsNo fix yet

SIMATIC ET 200MP IM 155-5 PN BA<V4.0.24.0.2

SIMATIC ET 200MP IM 155-5 PN HF<V4.2.04.2.0

SIMATIC ET 200MP IM 155-5 PN ST<V4.1.04.1.0

Remediation & Mitigation

0/19

Do now

0/2

WORKAROUNDDisable SNMP service on affected PROFINET devices if SNMP monitoring is not required for operations

WORKAROUNDImplement firewall rules to block inbound traffic to port 161/UDP from untrusted networks; restrict SNMP access to authorized management stations only

Schedule — requires maintenance window

0/14

Patching may require device reboot — plan for process interruption

Long-term hardening

0/3

HARDENINGSegment PROFINET I/O networks from corporate IT networks using industrial-grade network switches and access control lists

HARDENINGImplement network monitoring and alerting for unusual SNMP traffic patterns to detect potential attack attempts

HARDENINGDevelop a phased firmware update plan for all PROFINET devices, prioritizing controllers and critical I/O modules, with testing in a lab environment before production deployment

CVEs (1)

CVE-2017-12741

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close