Full Report
Several industrial devices are affected by two vulnerabilities that could allow an attacker to cause a denial of service condition via PROFINET DCP network packets under certain circumstances. The precondition for this scenario is a direct layer 2 access to the affected products. PROFIBUS interfaces are not affected. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Denial of Service in Siemens PROFINET DCP Implementation
## CVE Details
- CVE ID: **CVE-2017-2680** and **CVE-2017-2681**
- CVSS Score: **6.5** (CVSS v3.1) / **7.1** (CVSS v4.0) (Medium/High)
- CWE: Not explicitly specified in the summary, but implies potential **Improper Input Validation** leading to Denial of Service.
## Affected Systems
- Products:
- Development/Evaluation Kits for PROFINET IO: DK Standard Ethernet Controller
- Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200
- Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200P
- IE/AS-i Link PN IO
- IE/PB-Link (incl. SIPLUS NET variants)
- SCALANCE M-800 family (incl. S615, MUM-800 and RM1224)
- SCALANCE W-700 IEEE 802.11n family
- *Note: The advisory covers numerous other specific Siemens industrial products across various families (e.g., SINAMICS, SIMATIC ET 200 families, SCALANCE, SIPLUS devices) updated over time.*
- Versions: All versions prior to the specified patch levels (e.g., `< V4.1.1 Patch04`, `< V4.2.1 Patch03`, etc., depending on the product).
- Configurations: Devices must be reachable via **direct layer 2 access** for exploitation via PROFINET DCP. PROFIBUS interfaces are explicitly **not affected**.
## Vulnerability Description
Two vulnerabilities exist within the PROFINET DCP network packet handling implementation across several industrial devices. Successful exploitation allows an attacker to trigger a **Denial of Service (DoS)** condition on the affected product. The requirement for exploitation is adjacency, meaning the attacker must have direct Layer 2 network access to the vulnerable device.
## Exploitation
- Status: Information does not state exploitation in the wild, but PoCs are implied to exist given the detailed CVE tracking.
- Complexity: **Medium** (Requires Layer 2 network access/direct proximity).
- Attack Vector: **Adjacent** (Requires L2 access to the target network segment).
## Impact
- Confidentiality: **No Impact** (Based on DoS summary).
- Integrity: **No Impact** (Based on DoS summary).
- Availability: **High** (Causes a denial of service condition).
## Remediation
### Patches
Siemens has released fixes for most affected products. Users must update to the latest available versions as specified in the advisory:
- **DK Standard Ethernet Controller:** Update to **V4.1.1 Patch04** or newer.
- **EK-ERTEC 200:** Update to **V4.2.1 Patch03** or newer.
- **EK-ERTEC 200P:** Update to **V4.4.0 Patch01** or newer.
- **IE/PB-Link (incl. SIPLUS NET variants):** Upgrade to **V3.0**.
- **SCALANCE M-800 family:** Update to **V5.00**.
- *Note: Specific upgrade paths must be consulted in the full Siemens advisory.*
### Workarounds
For products where fixes are not yet or not planned to be released (e.g., **IE/AS-i Link PN IO**):
1. **Network Segmentation:** Restrict network access to the affected devices to only trusted hosts.
2. **Layer 2 Filtering:** Limit Layer 2 traffic access where possible.
*Specific countermeasures must be consulted from Section "Workarounds and Mitigations" in the original advisory for all affected products.*
## Detection
- Indicators of Compromise: Unusually high volumes of PROFINET DCP packets arriving from a potentially untrusted source on the Layer 2 segment, potentially leading to device unresponsiveness (DoS).
- Detection Methods and Tools: Network monitoring tools capable of deep packet inspection of industrial control network traffic (Ethernet/PROFINET DCP) should be used to watch for malformed or excessive packets targeting the identified hardware/software components.
## References
- Vendor Advisories:
- SSA-293562: hxxps://cert-portal.siemens.com/productcert/html/ssa-293562.html