SegmentSmack in Interniche IP-Stack based Industrial Devices
Plan Patch7.5SSA-593272Apr 14, 2020
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A vulnerability in the Interniche IP stack used by multiple Siemens industrial controller products allows remote attackers to cause a denial-of-service (DoS) condition. The TCP stack can be forced to perform computationally expensive operations on every incoming packet, exhausting CPU resources and degrading or stopping device availability. This affects devices using PROFINET communications across the S7-300, S7-400, S7-410, S7-1200, S7-1500, ET 200 series, and related control units.
What this means
What could happen
An attacker on the network can send crafted packets that consume all CPU resources on your PLCs or I/O modules, causing them to stop responding to control commands and potentially halting production or safety-critical processes.
Who's at risk
This vulnerability affects water utilities and electrical distributors operating Siemens automation platforms. Specifically: S7-300 and S7-400 PLCs used in legacy SCADA systems and field stations (no patch available); S7-1200 and S7-1500 CPUs in newer control systems (patches available); ET 200 distributed I/O modules (modules like ET 200eco, ET 200SP, ET 200pro) used for remote sensing and actuation in water treatment, pumping stations, and electrical substations; and PROFINET couplers that integrate legacy and modern systems. Any device with a PROFINET Ethernet port running the affected IP stack versions is at risk.
How it could be exploited
An attacker with network access to PROFINET-enabled devices sends specially crafted TCP packets that trigger expensive computational operations in the TCP/IP stack. Each malicious packet forces the CPU to perform resource-intensive tasks, leading to CPU saturation. The device becomes unresponsive to legitimate PROFINET commands and engineering station communication within minutes.
Prerequisites
- Network access to the affected device's PROFINET port (typically Ethernet RJ45 or industrial M12 connector)
- Device must be connected to a network where attacker-controlled traffic can reach it
- No credentials or authentication required to trigger the vulnerability
remotely exploitableno authentication requiredlow complexity attackaffects legacy S7-300/400 series with no patch availableaffects current S7-1200/1500 production PLCsno patch available for majority of affected devicesaffects safety-capable module variants (F-series)
Exploitability
Low exploit probability (EPSS 0.5%)
Affected products (66)
15 with fix51 pending
ProductAffected VersionsFix Status
Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200All versionsNo fix yet
Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200PAll versionsNo fix yet
KTK ATE530SAll versionsNo fix yet
SIDOOR ATD430WAll versionsNo fix yet
SIDOOR ATE530S COATEDAll versionsNo fix yet
Remediation & Mitigation
0/11
Do now
0/2WORKAROUNDImplement packet filtering at network edges to restrict TCP traffic to PROFINET devices from trusted sources only
WORKAROUNDFor devices with no fix available (S7-300, S7-400, most ET 200 variants): restrict layer 2 and layer 3 access to PROFINET devices to engineering workstations and HMI systems only; disable PROFINET ports not actively used
Schedule — requires maintenance window
0/7Patching may require device reboot — plan for process interruption
SIMATIC S7-1500 Software Controller
HOTFIXUpdate SIMATIC S7-1500 Software Controller to version 20.8 or later
All products
HOTFIXUpdate SIMATIC S7-410 V8 CPU to firmware version 8.3 or later
HOTFIXUpdate SIMATIC S7-410 V10 CPU to firmware version 10.2 or later
HOTFIXUpdate SIMATIC S7-1200 CPU to firmware version 4.5.2 or later
HOTFIXUpdate SIMATIC S7-1500 CPU to firmware version 2.8 or later
HOTFIXUpdate SIMATIC ET 200eco PN M12-L modules to firmware version 5.1.2 or later (except DIQ 16x24VDC/2A which requires 5.1.3)
HOTFIXUpdate SIMATIC ET 200SP Open Controller CPU 1515SP to firmware version 2.0 or later
Long-term hardening
0/2HARDENINGIsolate PROFINET networks from untrusted network segments using industrial firewalls or network segmentation
HARDENINGDeploy intrusion detection capable of identifying malformed TCP packets targeting PROFINET stacks
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/efa3e568-d87f-4c0e-802e-f7335210333f