Denial of Service Vulnerability in Profinet Devices
Plan Patch7.5SSA-473245Oct 8, 2019
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A denial of service vulnerability exists in Siemens PROFINET devices due to improper handling of malformed UDP packets (CWE-400). An attacker sending a large volume of specially crafted UDP packets to an affected device can cause it to become unresponsive, disrupting PROFINET communication. This affects a wide range of Siemens automation equipment including S7-300/400/1200/1500 PLCs, ET200 series distributed I/O modules, SINAMICS variable frequency drives, SINUMERIK machine tools, HMI Comfort Panels, and various development/evaluation kits. Many products have no vendor fix available; Siemens recommends firmware updates for products where patches exist and compensating controls for others.
What this means
What could happen
An attacker can flood a PROFINET device with specially crafted UDP packets to disrupt or stop communication with control systems, potentially halting process control operations until the device recovers or is rebooted.
Who's at risk
Manufacturing facilities and transportation systems using Siemens PROFINET automation equipment: PLCs (S7-300, S7-400, S7-1200, S7-1500, S7-410 series), distributed I/O modules (ET200 series), variable frequency drives (SINAMICS G/S/SL/SM/GH/GL/GM/DCM/DCP series), machine tool controllers (SINUMERIK 828D, 840D sl), and human-machine interfaces (HMI Comfort Panels, KTP Mobile Panels). Development kits and evaluation boards for PROFINET are also affected. Any facility using PROFINET-based control systems is at risk if devices are reachable from the network.
How it could be exploited
An attacker with network access to the PROFINET device sends a large volume of malformed UDP packets designed to exhaust device resources. The device becomes unresponsive and stops processing normal PROFINET control messages, disrupting communication with programmable logic controllers (PLCs) and engineering workstations on the network.
Prerequisites
- Network access to the PROFINET device (typically port 34962/UDP or standard PROFINET ports)
- No credentials required
- No prior access needed
Remotely exploitableNo authentication requiredLow complexity attackNetwork-based attack with no special tools requiredMany products have no fix available and require compensating controlsDenial of service can disrupt critical industrial processesWide range of device types affected across manufacturing and infrastructure sectors
Exploitability
Moderate exploit probability (EPSS 2.0%)
Affected products (106)
66 with fix40 pending
ProductAffected VersionsFix Status
SIMATIC ET 200SP IM 155-6 PN BAAll versionsNo fix yet
SIMATIC ET 200SP IM 155-6 PN HA (incl. SIPLUS variants)<V1.2.11.2.1
SIMATIC ET 200SP IM 155-6 PN HF<V4.2.24.2.2
SIMATIC ET 200SP IM 155-6 PN HS<V4.0.14.0.1
SIMATIC ET 200SP IM 155-6 PN STAll versionsNo fix yet
Remediation & Mitigation
0/20
Do now
0/2WORKAROUNDDeploy ingress filtering on network borders and at device interfaces to block malformed or unexpected UDP packets destined for PROFINET devices
WORKAROUNDFor products with no fix available (SIMATIC S7-1500 CPU family, SIMATIC S7-400 PN/DP V6 and below, various ET200 models, HMI panels, and SINAMICS S110/SM120 control units), contact Siemens Support for compensating control recommendations
Schedule — requires maintenance window
0/17Patching may require device reboot — plan for process interruption
SIMATIC S7-1500 Software Controller
HOTFIXUpdate SIMATIC S7-1500 Software Controller to firmware version 2.0 or later
SIMATIC PN/PN Coupler
HOTFIXUpdate SIMATIC PN/PN Coupler to firmware version 4.2.1 or later
SIMATIC PROFINET Driver
HOTFIXUpdate SIMATIC PROFINET Driver to version 2.1 or later
SINUMERIK 828D
HOTFIXUpdate SINUMERIK 828D to version 4.8 SP5 or later
SINUMERIK 840D sl
HOTFIXUpdate SINUMERIK 840D sl to version 4.8 SP6 or later
All products
HOTFIXUpdate SIMATIC S7-300 CPUs (CPU 314C-2, 315, 315-2, 315F-2, 315T-3, 317, 317-2, 317F-2, 317T-3, 317TF-3, 319, 319F-3 PN/DP) to firmware version 3.2.17 or later
HOTFIXUpdate SIMATIC S7-400 V7 CPUs (412-2 PN, 414-3, 414F-3, 416-3, 416F-3 PN/DP) to firmware version 7.0.3 or later
HOTFIXUpdate SIMATIC S7-400 H V6 CPUs (incl. SIPLUS) to firmware version 6.0.9 or later
HOTFIXUpdate SIMATIC S7-410 V8 CPUs (incl. SIPLUS) to firmware version 8.2.2 or later
HOTFIXUpdate SIMATIC S7-1200 CPU family (incl. SIPLUS) to firmware version 4.4.0 or later
HOTFIXUpdate SIMATIC ET200 IM modules (ET200MP IM 155-5 PN BA to v4.3.0, ET200MP IM 155-5 PN HF to v4.4.0, ET200SP IM 155-6 PN HA to v1.2.1, ET200SP IM 155-6 PN HF to v4.2.2, ET200SP IM 155-6 PN HS to v4.0.1, ET200SP IM 155-6 PN/2 HF to v4.2.2, ET200SP IM 155-6 PN/3 HF to v4.2.1) to specified fixed versions
HOTFIXUpdate SIMATIC ET200S CPUs (IM 151-8 PN/DP CPU and IM 151-8F PN/DP CPU) to firmware version 3.2.17 or later
HOTFIXUpdate SIMATIC ET200pro CPUs (IM 154-8, IM 154-8F, IM 154-8FX PN/DP CPU) to firmware version 3.2.17 or later
HOTFIXUpdate SIMATIC ET200ecoPN controller firmware (CFU PA) to version 1.2.0 or later where available
HOTFIXUpdate SIMATIC HMI Comfort Panels and KTP Mobile Panels via Siemens support where firmware updates become available
HOTFIXUpdate SINAMICS drive controls (G110M, G120, G130/G150, GH150, GL150, GM150, S120, S150, SL150 V4.7 Control Units) to specified fixed versions where available
HARDENINGMonitor PROFINET device status and response times for signs of denial of service; configure alerting for devices that become unresponsive
Long-term hardening
0/1HARDENINGImplement network segmentation to restrict PROFINET traffic to only authorized control systems and engineering workstations; isolate development/evaluation kits from production networks
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/513e6047-6037-4b92-9967-3b70098834cf