Denial of Service Vulnerability in Profinet Devices

Plan Patch7.5SSA-599968Jul 13, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A denial of service vulnerability in Siemens PROFINET devices allows remote attackers to flood affected devices with malformed DCP (Discovery and Configuration Protocol) reset packets, causing the device to become unresponsive. The vulnerability affects a wide range of SCALANCE industrial switches and routers, SIMATIC S7-1200 CPUs, RUGGEDCOM hardened routers, wireless access points, and related Ethernet modules used in critical infrastructure automation networks. Siemens has released firmware updates for many affected product families; however, numerous SCALANCE W-series wireless models and legacy communication modules have no fix available. The vulnerability requires only network access and no credentials to exploit.

What this means

What could happen

An attacker on the network can send malformed PROFINET Discovery and Configuration Protocol (DCP) reset packets to cause a denial of service, making the affected device unresponsive and disrupting industrial process control until the device is manually rebooted.

Who's at risk

Energy utilities and industrial facilities using Siemens PROFINET automation equipment including SCALANCE switches, routers, and wireless access points, SIMATIC S7-1200 programmable logic controllers, RUGGEDCOM hardened routers, and associated industrial Ethernet modules. Organizations with PROFINET-based distributed control systems are particularly affected.

How it could be exploited

An attacker with network access to the affected device sends a large flood of specially crafted DCP reset packets. The device lacks proper validation or rate-limiting on these protocol-level reset commands, causing it to become overwhelmed and stop responding to legitimate control requests.

Prerequisites

Network access to the affected device on PROFINET port (typically UDP/TCP 34964)
No credentials required
Device must be connected to an Ethernet network

Remotely exploitable over networkNo authentication requiredLow attack complexityAffects network infrastructure supporting critical control systemsNo patch available for many SCALANCE W wireless models and older SIMATIC components

Exploitability

Moderate exploit probability (EPSS 1.1%)

Affected products (249)

217 with fix32 pending

ProductAffected VersionsFix Status

Development/Evaluation Kits for PROFINET IO: DK Standard Ethernet ControllerAll versionsNo fix yet

Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200All versionsNo fix yet

Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200P< V4.74.7

RUGGEDCOM RM1224 LTE(4G) EU< V6.46.4

RUGGEDCOM RM1224 LTE(4G) NAM< V6.46.4

Remediation & Mitigation

0/7

Do now

0/2

WORKAROUNDConfigure firewall rules to block or rate-limit DCP protocol traffic (UDP/TCP 34964) from untrusted network segments

WORKAROUNDDisable PROFINET discovery and auto-configuration features on devices where not required for operations

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SIMATIC S7-1200 CPU family to firmware version 4.5 or later

HOTFIXUpdate SCALANCE X and XM series switches to the applicable firmware version (4.1.4, 4.3, 5.2.5, 6.3.1, or 5.5.0 depending on model)

HOTFIXUpdate SCALANCE W series wireless access points to the applicable firmware version (3.0.0 for models 1748/1788 variants; other W-series models have no fix available)

HOTFIXUpdate RUGGEDCOM and other routers to firmware version 6.4 or later where available

Long-term hardening

0/1

HARDENINGImplement network segmentation to restrict PROFINET device access to authorized engineering and control networks only

CVEs (1)

CVE-2020-28400

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/cff108e4-46cf-4e06-84ac-2b488f096b21