#VU9545 Improper input validation in Siemens products - CVE-2017-12741

Vulnerability identifier: #VU9545

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2017-12741

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
SINAMICS S150
SINAMICS G120
SIMOTION Firmware
SIMATIC S7-1500 CPU
SIMATIC S7-1200
SIMATIC S7-410
SIMATIC S7-400
SIMATIC S7-300
SIMATIC S7-200 Smart
SIMOCODE pro V PROFINET
SIMATIC PN/PN Coupler
SIMATIC Compact Field Unit
SINUMERIK 840D
SINAMICS V90
SINAMICS S120
SINAMICS S110
SINAMICS G130
SINAMICS DCP
SINAMICS DCM
SIMATIC WinAC RTX 2010
SIMATIC ET 200SP
SIMATIC ET 200S
SIMATIC ET 200pro
SIMATIC ET 200MP
SIMATIC ET 200M
SIMATIC ET 200ecoPN
SIMATIC ET 200AL
Development/Evaluation Kits for PROFINET IO

Software vendor:
Siemens

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists due to an error when processing malicious packets. A remote attacker can send specially crafted packets via UDP port 161 and cause the device to crash or become unresponsive.

Successful exploitation of the vulnerability results in denial of service.

Install update from vendor's website.

• https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-346262.pdf