#VU25270 Resource exhaustion in Siemens Hardware solutions


Published: 2020-02-12

Vulnerability identifier: #VU25270

Vulnerability risk: Medium

CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-13946

CWE-ID: CWE-400

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Development/Evaluation Kits for PROFINET IO
Hardware solutions / Firmware
SCALANCE M-800 / S615
Hardware solutions / Firmware
SCALANCE W-700 (IEEE 802.11n)
Hardware solutions / Firmware
SIMATIC CP 343-1 ERPC
Hardware solutions / Firmware
SIMATIC CP 343-1 LEAN
Hardware solutions / Firmware
SIMATIC ET200AL IM 157-1 PN
Hardware solutions / Firmware
SIMATIC ET200M IM153-4 PN IO HF
Hardware solutions / Firmware
SIMATIC ET200M IM153-4 PN IO ST
Hardware solutions / Firmware
SIMATIC ET200MP IM155-5 PN HF
Hardware solutions / Firmware
SIMATIC ET200MP IM155-5 PN ST
Hardware solutions / Firmware
SIMATIC ET 200S
Hardware solutions / Firmware
SIMATIC ET200SP IM155-6 PN Basic
Hardware solutions / Firmware
SIMATIC ET200SP IM155-6 PN HF
Hardware solutions / Firmware
SIMATIC ET200SP IM155-6 PN ST
Hardware solutions / Firmware
SIMATIC ET 200ecoPN
Hardware solutions / Firmware
SIMATIC PN/PN Coupler 6ES7158-3AD01-0XA0
Hardware solutions / Firmware
SINAMICS DCP
Hardware solutions / Firmware
SIMATIC PROFINET Driver
Hardware solutions / Drivers
RUGGEDCOM RM1224
Hardware solutions / Routers & switches, VoIP, GSM, etc
SCALANCE X-200
Hardware solutions / Routers & switches, VoIP, GSM, etc
SCALANCE X-200 IRT
Hardware solutions / Routers & switches, VoIP, GSM, etc
SCALANCE X-300
Hardware solutions / Routers & switches, VoIP, GSM, etc
SCALANCE XB-200
Hardware solutions / Routers & switches, VoIP, GSM, etc
SCALANCE XC-200
Hardware solutions / Routers & switches, VoIP, GSM, etc
SCALANCE XP-200
Hardware solutions / Routers & switches, VoIP, GSM, etc
SCALANCE XF-200BA
Hardware solutions / Routers & switches, VoIP, GSM, etc
SCALANCE XR-300WG
Hardware solutions / Routers & switches, VoIP, GSM, etc
SCALANCE XM-400
Hardware solutions / Routers & switches, VoIP, GSM, etc
SCALANCE XR-500
Hardware solutions / Routers & switches, VoIP, GSM, etc
SIMATIC CP 1616
Hardware solutions / Routers & switches, VoIP, GSM, etc
SIMATIC CP 1604
Hardware solutions / Routers & switches, VoIP, GSM, etc
SIMATIC ET200pro IM 154-3 PN HF
Hardware solutions / Routers & switches, VoIP, GSM, etc
SIMATIC ET200pro IM 154-4 PN HF
Hardware solutions / Routers & switches, VoIP, GSM, etc
SIMATIC RF182C
Hardware solutions / Routers & switches, VoIP, GSM, etc
SIMATIC RF180C
Hardware solutions / Routers & switches, VoIP, GSM, etc
SIMATIC CP 343-1 Advanced
Server applications / SCADA systems
SIMATIC CP 343-1 Standard
Server applications / SCADA systems
SIMATIC CP 443-1 Advanced
Server applications / SCADA systems
SIMATIC CP 443-1 Standard
Server applications / SCADA systems
SIMATIC CP443-1 OPC UA
Server applications / SCADA systems
SIMATIC RF600
Server applications / SCADA systems
SIMATIC IPC Support, Package for VxWorks
Web applications / Modules and components for CMS
SIMATIC MV400
Hardware solutions / Security hardware applicances

Vendor: Siemens

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to the Profinet-IO (PNIO) stack versions prior v06.00 do not properly limit internal resource allocation when multiple legitimate diagnostic package requests are sent to the DCE-RPC interface. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation

Vulnerable software versions

Development/Evaluation Kits for PROFINET IO: All versions

SIMATIC PROFINET Driver: All versions

RUGGEDCOM RM1224: All versions

SCALANCE M-800 / S615: All versions

SCALANCE W-700 (IEEE 802.11n): All versions

SCALANCE X-200: All versions

SCALANCE X-200 IRT: All versions

SCALANCE X-300: All versions

SCALANCE XB-200: All versions

SCALANCE XC-200: All versions

SCALANCE XP-200: All versions

SCALANCE XF-200BA: All versions

SCALANCE XR-300WG: All versions

SCALANCE XM-400: All versions

SCALANCE XR-500: All versions

SIMATIC CP 1616: All versions

SIMATIC CP 1604: All versions

SIMATIC CP 343-1 Advanced: All versions

SIMATIC CP 343-1 Standard: All versions

SIMATIC CP 343-1 ERPC: All versions

SIMATIC CP 343-1 LEAN: All versions

SIMATIC CP 443-1 Advanced: All versions

SIMATIC CP 443-1 Standard: All versions

SIMATIC CP443-1 OPC UA: All versions

SIMATIC ET200AL IM 157-1 PN: All versions

SIMATIC ET200M IM153-4 PN IO HF: All versions

SIMATIC ET200M IM153-4 PN IO ST: All versions

SIMATIC ET200MP IM155-5 PN HF: All versions

SIMATIC ET200MP IM155-5 PN ST: All versions

SIMATIC ET 200S: All versions

SIMATIC ET200SP IM155-6 PN Basic: All versions

SIMATIC ET200SP IM155-6 PN HF: All versions

SIMATIC ET200SP IM155-6 PN ST: All versions

SIMATIC ET 200ecoPN: All versions

SIMATIC ET200pro IM 154-3 PN HF: All versions

SIMATIC ET200pro IM 154-4 PN HF: All versions

SIMATIC IPC Support, Package for VxWorks: All versions

SIMATIC MV400: All versions

SIMATIC PN/PN Coupler 6ES7158-3AD01-0XA0: All versions

SIMATIC RF182C: All versions

SIMATIC RF180C: All versions

SIMATIC RF600: All versions

SINAMICS DCP: All versions

External links
http://cert-portal.siemens.com/productcert/pdf/ssa-780073.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Denial of service in Siemens PROFINET-IO Stack