OTPulse
FeedAboutContact

Denial of Service Vulnerability in Industrial Products

Monitor6.5SSA-592007Mar 20, 2018
Attack VectorAdjacent
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

A denial of service vulnerability exists in multiple Siemens industrial controllers and communication modules. An attacker with access to the local Ethernet network segment can send malformed PROFINET DCP (Discovery and basic Configuration Protocol) packets to cause affected devices to crash or restart. The vulnerability requires direct Layer 2 access to the network but no authentication. PROFIBUS interfaces are not affected. Siemens has released firmware updates for most products but has not released patches for SIMATIC CP 343-1 and related variants, as well as Softnet PROFINET IO.

What this means
What could happen
An attacker on the local network segment can send specially crafted PROFINET DCP packets to crash or restart affected PLCs and controllers, interrupting production processes until the device recovers or is manually restarted.
Who's at risk
Manufacturing facilities using Siemens programmable logic controllers (PLCs) and communication modules are affected. This includes S7-300, S7-400, S7-1500, S7-410 series PLCs; distributed I/O modules (ET 200 series); PROFINET communication cards (CP 343-1, CP 443-1); and soft PLCs (WinAC RTX, SINUMERIK 828D controllers). SIPLUS variants of these products are also affected.
How it could be exploited
An attacker with access to the same Ethernet network segment (Layer 2) sends malformed PROFINET DCP (Discovery and basic Configuration Protocol) packets to the target controller. The device fails to properly validate the packet structure, causing it to crash or reboot, disrupting any active control processes.
Prerequisites
  • Direct access to the same Ethernet network segment (Layer 2 adjacency)
  • No authentication or credentials required
  • PROFINET interface must be active on the target device
Remotely exploitable (Layer 2 network access)No authentication requiredLow complexity attackAffects manufacturing control systemsNo patch available for CP 343-1 and Softnet PROFINET IO productsWide range of Siemens PLC and controller models affected
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (44)
41 with fix3 pending
ProductAffected VersionsFix Status
SIMATIC S7-400 CPU 416-3 PN/DP V7< V7.0.37.0.3
SIMATIC S7-400 CPU 416F-3 PN/DP V7< V7.0.37.0.3
SIMATIC CP 343-1 (incl. SIPLUS variants)All versionsNo fix yet
SIMATIC CP 343-1 Advanced (incl. SIPLUS variants)All versionsNo fix yet
SIMATIC CP 443-1< V3.33.3
Remediation & Mitigation
0/14
Schedule — requires maintenance window
0/11

Patching may require device reboot — plan for process interruption

SIMATIC S7-400 CPU 416-3 PN/DP V7
HOTFIXUpdate SIMATIC S7-400 CPU 416-3 PN/DP V7, 416F-3 PN/DP V7, 414-3 PN/DP V7, 414F-3 PN/DP V7, and CPU 412-2 PN V7 to version 7.0.3 or later
SIMATIC CP 443-1
HOTFIXUpdate SIMATIC CP 443-1 and CP 443-1 Advanced to version 3.3 or later
SIMATIC WinAC RTX 2010
HOTFIXUpdate SIMATIC WinAC RTX 2010 and WinAC RTX F 2010 to version 2010 SP3 or later
SINUMERIK 828D
HOTFIXUpdate SINUMERIK 828D to version 4.7 SP6 HF1 or later (contact local Siemens account manager)
All products
HOTFIXUpdate SIMATIC S7-300 CPUs (314C-2, 315-2, 315F-2, 315T-3, 317-2, 317F-2, 317T-3, 317TF-3, 319-3, 319F-3) to version 3.2.16 or 3.3.16 as applicable
HOTFIXUpdate SIMATIC S7-1500 CPU family and Software Controller to version 1.7.0 or later
HOTFIXUpdate SIMATIC ET 200pro IM154-8, IM154-8F, IM154-8FX CPUs to version 3.2.16 or later
HOTFIXUpdate SIMATIC ET 200S IM151-8 and IM151-8F CPUs to version 3.2.16 or later
HOTFIXUpdate SIMATIC S7-400 H V6 CPU family to version 6.0.9 or later
HOTFIXUpdate SIMATIC S7-400 PN/DP V6 CPU family to version 6.0.7 or later
HOTFIXUpdate SIMATIC S7-410 CPU family to version 8.1 or later
Long-term hardening
0/3
HARDENINGFor SIMATIC CP 343-1 and CP 343-1 Advanced (all versions) and Softnet PROFINET IO for PC-based Windows (all versions): no vendor patch available; implement network segmentation to restrict Layer 2 access to these devices
HARDENINGImplement network segmentation and access controls to limit direct Ethernet access to affected PROFINET devices. Isolate industrial network segments from untrusted networks using managed switches and VLANs
HARDENINGMonitor PROFINET network traffic for malformed DCP packets using network security monitoring tools
View full Siemens ProductCERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/4d501b1f-0372-4e9f-9f9c-4de5b8207159