Full Report
Several industrial products are affected by a vulnerability that could allow remote attackers to conduct a denial of service attack by sending specially crafted packets to port 161/udp (SNMP). Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Denial of Service in Industrial Product SNMP Interface
## CVE Details
- CVE ID: CVE-2017-12741 (This is the core CVE referenced for affected components)
- CVSS Score: 7.5 (CVSS v3.1 Base Score) | 8.7 (CVSS v4.0 Base Score)
- CWE: Not explicitly mentioned in the summary, but likely related to improper input validation or handling of network protocols (SNMP).
## Affected Systems
- Products:
- Development/Evaluation Kits for PROFINET IO: DK Standard Ethernet Controller
- Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200
- Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200P
- SIMATIC Compact Field Unit
- SIMATIC ET200ecoPN variants (including specific MLFB IDs like 6ES7145-6HD00-0AB0, 6ES7147-6BG00-0AB0, etc., though many variants are listed individually)
- Many other products listed across advisory updates, including SINAMICS, SIMOTION, SIMATIC S7-1200/S7-300/S7-400 (below V6), SINUMERIK 840D sl, SIMATIC WinAC RTX (F) 2010, and corresponding SIPLUS devices.
- Versions: All versions prior to the specified patched versions for the respective product.
- Configurations: Affected systems exposed via UDP port 161 (SNMP).
## Vulnerability Description
The vulnerability exists within the SNMP interface of several affected Siemens industrial products. A remote attacker can send specifically crafted SNMP packets (UDP port 161) to these devices. Successful exploitation leads to a Denial of Service (DoS) condition, rendering the affected device unavailable to perform its industrial functions.
## Exploitation
- Status: Not explicitly stated as "exploited in the wild," but the advisory implies known risk via specially crafted packets.
- Complexity: Likely **Low** given the network vector and DoS outcome via crafted packets.
- Attack Vector: **Network** (Remote execution over UDP port 161).
## Impact
- Confidentiality: **No Impact** (Focus is on availability disruption)
- Integrity: **No Impact** (Focus is on availability disruption)
- Availability: **High** (Successful denial of service against industrial control components)
## Remediation
### Patches
Patches are available for most products, requiring updates to the latest versions. Examples include:
- **DK Standard Ethernet Controller:** Update to V4.1.1 Patch 05.
- **EK-ERTEC 200 / EK-ERTEC 200P:** Update to V4.5.
- Updates are listed for numerous other product families (SINAMICS, SIMATIC S7, etc.) requiring specific version upgrades detailed in the full advisory.
### Workarounds
For products where a fix is not yet or not available (e.g., certain SIMATIC ET200ecoPN variants):
- Implement specific countermeasures recommended by Siemens, focusing on restricting network access to the SNMP port (UDP 161).
- Siemens recommends restricting access to the management interfaces, especially SNMP, only to trusted networks/hosts.
## Detection
- Indicators of Compromise: Increased traffic or error/reset messages directed towards UDP port 161 on vulnerable industrial assets.
- Detection Methods and Tools: Network monitoring tools capable of inspecting traffic destined for UDP/161 and identifying unusual or malformed SNMP packets directed toward the target devices.
## References
- Vendor Advisories: SSA-346262 ([https://cert-portal.siemens.com/productcert/html/ssa-346262.html](https://cert-portal.siemens.com/productcert/html/ssa-346262.html))