Full Report
The PROFINET (PNIO) stack, when integrated with the Interniche IP stack, contains a vulnerability that could allow an attacker to cause a denial of service condition on affected industrial products. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Denial of Service in PROFINET Stack Integrated with Interniche IP Stack
## CVE Details
- **CVE ID:** CVE-2022-25622
- **CVSS Score:** 5.3 (Medium)
- **CWE:** CWE-400: Uncontrolled Resource Consumption
## Affected Systems
- **Products:** A wide range of Siemens industrial components including:
- **SIMATIC Series:** CFU DIQ/PA, ET 200pro/SP/MP/AL/ecoPN, S7-300, S7-400, S7-410, TDC.
- **SINAMICS Drives:** G110M, G115D, G120, G130, G150, S110, S120, S150, S210, V90, DCM.
- **SIPLUS Variants:** Corresponding hardened versions of the products above.
- **Versions:** Generally all versions prior to the released fixes (many starting from V4.2.0 or V5.1.1).
- **Configurations:** Vulnerability exists when the PROFINET (PNIO) stack is integrated with the Interniche IP stack.
## Vulnerability Description
The vulnerability resides in the PROFINET stack's handling of specific network traffic when integrated with the Interniche IP stack. Due to uncontrolled resource consumption, the device fails to properly manage incoming packets, leading to a resource exhaustion state. An attacker sending maliciously crafted packets can trigger this flaw to cause the device to become unresponsive or restart.
## Exploitation
- **Status:** No reports of exploitation in the wild at the time of the advisory update; PoC not public but technical details of the underlying stack flaw are known.
- **Complexity:** Low
- **Attack Vector:** Network (Capable of being triggered over the local industrial network).
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** High (Device becomes unavailable or requires a manual restart to recover, disrupting industrial processes).
## Remediation
### Patches
Siemens has released several firmware updates. Users are advised to migrate to at least the following versions (non-exhaustive list):
- **SIMATIC S7-300:** Update to V3.X.17 or higher
- **SIMATIC S7-410:** Update to V8.2.3 or higher
- **SINAMICS S120:** Update to V5.2 HF7 or higher
- **SINAMICS G120:** Update to V4.7 SP13 HF4 or higher
- **SIMATIC ET200ecoPN:** Specific variants updated as of Jan 2025 (e.g., 6ES7148-6JE00-0BB0).
*Note: For some legacy products (e.g., SINAMICS S110, SIMATIC S7-400 PN/DP V7), no fix is planned.*
### Workarounds
- **Network Segmentation:** Minimize network exposure for affected devices; ensure they are not accessible from the Internet.
- **Firewalls:** Isolate the Industrial Control System (ICS) network from the business network using firewalls and implement a DMZ.
- **Trusted Access:** Use VPNs for remote access and strictly control which devices can communicate with the PROFINET interfaces.
## Detection
- **Indicators of Compromise:** Unexpected device reboots, loss of communication with PLC/Drive via PROFINET, or high CPU utilization logs.
- **Detection methods and tools:** Monitor network traffic for unusual volumes of malformed industrial protocol packets using IDS/IPS signatures tuned for PROFINET/Interniche vulnerabilities.
## References
- **Vendor Advisory:** hxxps://cert-portal.siemens[.]com/productcert/pdf/ssa-446448.pdf
- **Siemens ProductCERT:** hxxps://www.siemens[.]com/cert/advisories