Denial of Service Vulnerability in PROFINET Devices via DCE-RPC Packets

Plan Patch7.5SSA-780073Feb 11, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

This vulnerability exists in the Siemens PROFINET-IO (PNIO) stack in versions prior to V6.0. When multiple crafted diagnostic package requests are sent to the DCE-RPC interface of affected PROFINET devices, the device becomes unresponsive and stops handling legitimate PROFINET communication. Affected products include: SCALANCE industrial switches and routers; SIMATIC communication modules, distributed I/O stations, and motor drives; SIMOTION motion controllers; SINAMICS variable frequency drives; and various development/evaluation kits. Siemens has released updated firmware for many products but has indicated no fix will be available for several older or end-of-life modules including CP 343-1 series, older ET 200 variants (ET200ecoPN, ET 200S), SIMATIC PN/PN Coupler, SIMATIC RF series, and SOFTNET-IE PNIO.

What this means

What could happen

An attacker can cause PROFINET communication modules and gateways to stop responding by sending crafted diagnostic requests, disrupting real-time data exchange between controllers and field devices, which could halt manufacturing operations or impact critical process monitoring.

Who's at risk

Plant operators running Siemens PROFINET infrastructure should prioritize this. Affected equipment includes: communication modules (CP 343-1, CP 443-1, CP 1604/1616), distributed I/O stations (ET 200S, ET 200M, ET 200SP, ET 200MP, ET 200 ecoPN), network switches (SCALANCE X and XF series), industrial routers (SCALANCE M series, RUGGEDCOMs), variable frequency drives (SINAMICS), motor drives (SIMATIC MV series), motion controllers (SIMOTION), and older development kits. Any site using real-time Ethernet communication for field devices, process I/O, or drive control is affected.

How it could be exploited

An attacker with network access to any device running the vulnerable PROFINET-IO stack sends multiple crafted DCE-RPC diagnostic requests to the PROFINET communication interface (typically port 135 or 445). The device becomes unresponsive to legitimate PROFINET traffic, causing the loss of real-time field device communication without requiring authentication or special configuration.

Prerequisites

Network access to the PROFINET device (typically Ethernet, reachable from the engineering network or if directly connected to plant network)
No credentials or authentication required
Device must be running vulnerable PROFINET-IO stack version prior to V6.0

Remotely exploitable without authenticationNo authentication requiredLow attack complexityHigh availability impact on industrial processesLarge number of affected products with no fix availableAffects critical PROFINET infrastructure used across multiple product lines

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (169)

135 with fix34 pending

ProductAffected VersionsFix Status

SCALANCE XR324-12M (230V, ports on front)<V4.1.44.1.4

SCALANCE XR324-12M (230V, ports on rear)<V4.1.44.1.4

SCALANCE XR324-12M (24V, ports on front)<V4.1.44.1.4

SCALANCE XR324-12M (24V, ports on rear)<V4.1.44.1.4

SCALANCE XR324-12M TS (24V)<V4.1.44.1.4

Remediation & Mitigation

0/13

Do now

0/1

SIMATIC CP 343-1

WORKAROUNDFor products with no patch available (SIMATIC CP 343-1 series, SIMATIC ET 200 modules, ET200ecoPN, SIMATIC PN/PN Coupler, and SOFTNET-IE PNIO): restrict network access to affected devices using firewall rules, allowing only trusted engineering workstations and SCADA servers to reach the DCE-RPC interfaces (ports 135, 445)

Schedule — requires maintenance window

0/11

Patching may require device reboot — plan for process interruption

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate PROFINET devices on separate VLANs with restricted access from office and guest networks

CVEs (1)

CVE-2019-13946

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close