Denial of service in Siemens PROFINET-IO Stack



Published: 2020-02-12
Risk Medium
Patch available YES
Number of vulnerabilities 1
CVE-ID CVE-2019-13946
CWE-ID CWE-400
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Development/Evaluation Kits for PROFINET IO
Hardware solutions / Firmware

SCALANCE M-800 / S615
Hardware solutions / Firmware

SCALANCE W-700 (IEEE 802.11n)
Hardware solutions / Firmware

SIMATIC CP 343-1 ERPC
Hardware solutions / Firmware

SIMATIC CP 343-1 LEAN
Hardware solutions / Firmware

SIMATIC ET200AL IM 157-1 PN
Hardware solutions / Firmware

SIMATIC ET200M IM153-4 PN IO HF
Hardware solutions / Firmware

SIMATIC ET200M IM153-4 PN IO ST
Hardware solutions / Firmware

SIMATIC ET200MP IM155-5 PN HF
Hardware solutions / Firmware

SIMATIC ET200MP IM155-5 PN ST
Hardware solutions / Firmware

SIMATIC ET 200S
Hardware solutions / Firmware

SIMATIC ET200SP IM155-6 PN Basic
Hardware solutions / Firmware

SIMATIC ET200SP IM155-6 PN HF
Hardware solutions / Firmware

SIMATIC ET200SP IM155-6 PN ST
Hardware solutions / Firmware

SIMATIC ET 200ecoPN
Hardware solutions / Firmware

SIMATIC PN/PN Coupler 6ES7158-3AD01-0XA0
Hardware solutions / Firmware

SINAMICS DCP
Hardware solutions / Firmware

SIMATIC PROFINET Driver
Hardware solutions / Drivers

RUGGEDCOM RM1224
Hardware solutions / Routers & switches, VoIP, GSM, etc

SCALANCE X-200
Hardware solutions / Routers & switches, VoIP, GSM, etc

SCALANCE X-200 IRT
Hardware solutions / Routers & switches, VoIP, GSM, etc

SCALANCE X-300
Hardware solutions / Routers & switches, VoIP, GSM, etc

SCALANCE XB-200
Hardware solutions / Routers & switches, VoIP, GSM, etc

SCALANCE XC-200
Hardware solutions / Routers & switches, VoIP, GSM, etc

SCALANCE XP-200
Hardware solutions / Routers & switches, VoIP, GSM, etc

SCALANCE XF-200BA
Hardware solutions / Routers & switches, VoIP, GSM, etc

SCALANCE XR-300WG
Hardware solutions / Routers & switches, VoIP, GSM, etc

SCALANCE XM-400
Hardware solutions / Routers & switches, VoIP, GSM, etc

SCALANCE XR-500
Hardware solutions / Routers & switches, VoIP, GSM, etc

SIMATIC CP 1616
Hardware solutions / Routers & switches, VoIP, GSM, etc

SIMATIC CP 1604
Hardware solutions / Routers & switches, VoIP, GSM, etc

SIMATIC ET200pro IM 154-3 PN HF
Hardware solutions / Routers & switches, VoIP, GSM, etc

SIMATIC ET200pro IM 154-4 PN HF
Hardware solutions / Routers & switches, VoIP, GSM, etc

SIMATIC RF182C
Hardware solutions / Routers & switches, VoIP, GSM, etc

SIMATIC RF180C
Hardware solutions / Routers & switches, VoIP, GSM, etc

SIMATIC CP 343-1 Advanced
Server applications / SCADA systems

SIMATIC CP 343-1 Standard
Server applications / SCADA systems

SIMATIC CP 443-1 Advanced
Server applications / SCADA systems

SIMATIC CP 443-1 Standard
Server applications / SCADA systems

SIMATIC CP443-1 OPC UA
Server applications / SCADA systems

SIMATIC RF600
Server applications / SCADA systems

SIMATIC IPC Support, Package for VxWorks
Web applications / Modules and components for CMS

SIMATIC MV400
Hardware solutions / Security hardware applicances

Vendor Siemens

Security Bulletin

This security bulletin contains one medium risk vulnerability.

1) Resource exhaustion

EUVDB-ID: #VU25270

Risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13946

CWE-ID: CWE-400 - Resource exhaustion

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the Profinet-IO (PNIO) stack versions prior v06.00 do not properly limit internal resource allocation when multiple legitimate diagnostic package requests are sent to the DCE-RPC interface. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation

Vulnerable software versions

Development/Evaluation Kits for PROFINET IO: before 4.6

SIMATIC PROFINET Driver: before 2.1

RUGGEDCOM RM1224: before 4.3

SCALANCE M-800 / S615: before 4.3

SCALANCE W-700 (IEEE 802.11n): before 6.0.1

SCALANCE X-200: All versions

SCALANCE X-200 IRT: before 5.3.0

SCALANCE X-300: All versions

SCALANCE XB-200: before 3.0

SCALANCE XC-200: before 3.0

SCALANCE XP-200: before 3.0

SCALANCE XF-200BA: before 3.0

SCALANCE XR-300WG: before 3.0

SCALANCE XM-400: before 6.0

SCALANCE XR-500: before 6.0

SIMATIC CP 1616: before 2.8

SIMATIC CP 1604: before 2.8

SIMATIC CP 343-1 Advanced: All versions

SIMATIC CP 343-1 Standard: All versions

SIMATIC CP 343-1 ERPC: All versions

SIMATIC CP 343-1 LEAN: All versions

SIMATIC CP 443-1 Advanced: All versions

SIMATIC CP 443-1 Standard: All versions

SIMATIC CP443-1 OPC UA: All versions

SIMATIC ET200AL IM 157-1 PN: All versions

SIMATIC ET200M IM153-4 PN IO HF: All versions

SIMATIC ET200M IM153-4 PN IO ST: All versions

SIMATIC ET200MP IM155-5 PN HF: before 4.2.0

SIMATIC ET200MP IM155-5 PN ST: before 4.1.0

SIMATIC ET 200S: All versions

SIMATIC ET200SP IM155-6 PN Basic: All versions

SIMATIC ET200SP IM155-6 PN HF: before 3.3.1

SIMATIC ET200SP IM155-6 PN ST: before 4.1.0

SIMATIC ET 200ecoPN: All versions

SIMATIC ET200pro IM 154-3 PN HF: All versions

SIMATIC ET200pro IM 154-4 PN HF: All versions

SIMATIC IPC Support, Package for VxWorks: All versions

SIMATIC MV400: All versions

SIMATIC PN/PN Coupler 6ES7158-3AD01-0XA0: All versions

SIMATIC RF182C: All versions

SIMATIC RF180C: All versions

SIMATIC RF600: before 3

SINAMICS DCP: before 1.3

External links

http://cert-portal.siemens.com/productcert/pdf/ssa-780073.pdf


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###