Full Report
A vulnerability in the affected products could allow an unauthorized attacker with network access to perform a denial-of-service attack resulting in loss of real-time synchronization. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Denial of Service in Siemens IRT Devices via Real-Time Synchronization Break
## CVE Details
- CVE ID: CVE-2019-10923
- CVSS Score: 7.5 (High)
- CWE: CWE-400: Uncontrolled Resource Consumption
## Affected Systems
- Products:
- Development/Evaluation Kits for PROFINET IO: DK Standard Ethernet Controller
- Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200
- Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200P
- SCALANCE X-200IRT family (incl. SIPLUS NET variants)
- SIMATIC CP 1604 (6GK1160-4AA01)
- SIMATIC CP 1616 (6GK1161-6AA02)
- SIMATIC ET200ecoPN (Specific variants/MLFBs are listed in the source advisory, some variants have no fix planned)
- Other products (SINAMICS SL150, SINAMICS DCP, SIMATIC S7-300 CPU family, SINUMERIK 840D sl, SINAMERIC 840D sl, SINAMICS G150, SINAMICS S150 are mentioned as receiving fixes, implying versions prior to the fix release were vulnerable).
- Versions: Specific vulnerable versions are listed in the table, generally all versions prior to the noted patched versions (e.g., All versions < V4.1.1 Patch 05 for DK Standard Ethernet Controller).
- Configurations: Devices supporting or utilizing Industrial Real-Time (IRT) communication protocols.
## Vulnerability Description
The vulnerability allows an unauthenticated remote attacker with network access to execute a denial-of-service (DoS) attack by specifically targeting the Industrial Real-Time (IRT) functionality. Successful exploitation results in the loss of real-time synchronization for the affected installation. This is attributed to uncontrolled resource consumption.
## Exploitation
- Status: PoC available (Implied by the CVSS vector: E:P - Proof of Concept)
- Complexity: Low (AC:L - Attack Complexity Low)
- Attack Vector: Network (AV:N)
## Impact
- Confidentiality: No impact (C:N)
- Integrity: No impact (I:N)
- Availability: High impact (A:H - Denial of Service leading to loss of real-time synchronization)
## Remediation
### Patches
Siemens has released updates for several affected products. Users must update to the following versions or later:
| Product | Fixed Version |
| :--- | :--- |
| DK Standard Ethernet Controller | V4.1.1 Patch 05 or later |
| EK-ERTEC 200 | V4.5.0 Patch 01 or later |
| EK-ERTEC 200P | V4.5.0 or later |
| SCALANCE X-200IRT family | V5.4.2 |
| SIMATIC CP 1604 | V2.8 or later |
| SIMATIC CP 1616 | V2.8 or later |
| Other Products (SINAMICS, SIMATIC S7-300, SINUMERIK) | Specific patched versions listed in the original advisory. |
### Workarounds
Specific countermeasures are recommended for products where fixes are not yet available, notably for certain **SIMATIC ET200ecoPN** models, where Siemens states **no fix is planned**. Users should consult the vendor advisory for detailed workarounds pertaining to those unpatched devices. General mitigation strategies should focus on network segmentation (see Detection).
## Detection
- Indicators of Compromise (IOC): Increased network traffic directed at IRT devices, sudden loss of real-time communication integrity, and system logs indicating unexpected process halting or synchronization failure on affected hardware.
- Detection methods and tools: Network monitoring tools capable of inspecting traffic to/from IRT devices might detect anomalous packets attempting to exploit the resource consumption vulnerability. Network segmentation (firewalls/ACLs) preventing unauthorized network access to these devices is the primary prevention method.
## References
- [Vendor Advisory SSA-349422](https://cert-portal.siemens.com/productcert/html/ssa-349422.html)
- [Siemens ProductCERT Terms of Use](https://www.siemens.com/productcert/terms-of-use)