Full Report
A vulnerability in affected devices could allow an attacker to perform a denial of service attack if a large amount of specially crafted UDP packets are sent to the device. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Denial of Service in Siemens PROFINET Devices via Crafted UDP Packets
## CVE Details
- CVE ID: CVE-2019-10936
- CVSS Score: 7.5 (High)
- CWE: Not explicitly listed in the summary, but relates to input validation/packet handling failures leading to DoS.
## Affected Systems
- Products:
- Development/Evaluation Kits for PROFINET IO: DK Standard Ethernet Controller
- Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200
- Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200P
- SIMATIC CFU PA (6ES7655-5PX11-0XX0)
- Various SIMATIC ET200ecoPN variants (specific MLFBs listed within the full advisory, including those with 4AO U/I, 8 DIO, 8 DO, 8AI RTD/TC, 8DI modules)
- Other products mentioned throughout updates including SIMATIC S7-1200/S7-1500 Software/Open Controller, SINAMICS DCP, SIMATIC S7-300, SIMATIC ET200MP IM155-5 PN HF, SIMATIC TDC CP51M1/CPU555, SIMATIC PN/PN Coupler, SIMATIC S7-400, and various SIPLUS variants.
- Versions:
- EK-ERTEC 200P: All versions prior to V4.6 Patch 01
- SIMATIC CFU PA (6ES7655-5PX11-0XX0): All versions prior to V1.2.0
- Various SIMATIC ET200ecoPN variants: All versions affected (unless otherwise specified in the full advisory).
- Configurations: N/A (Vulnerability is triggered by sending network traffic).
## Vulnerability Description
The vulnerability resides in affected Siemens devices supporting PROFINET functionality. An attacker can induce a Denial of Service (DoS) condition by transmitting a large volume of specially crafted UDP packets to the vulnerable device.
## Exploitation
- Status: Not enough information to confirm in-the-wild exploitation, but a DoS result is implied.
- Complexity: Low (Implied, as the attack relies on sending network packets, suggesting remote network accessibility).
- Attack Vector: Network
## Impact
- Confidentiality: No Impact (Likely)
- Integrity: No Impact (Likely)
- Availability: High (System Crash/Denial of Service)
## Remediation
### Patches
Siemens has released updates for several affected products. Users must consult the full advisory for the correct patch level associated with their specific product MLFB:
* **EK-ERTEC 200P:** Update to V4.6 Patch 01 or later.
* **SIMATIC CFU PA (6ES7655-5PX11-0XX0):** Update to V1.2.0 or later.
* ***Note:*** Many other products have specific fixes referenced throughout the advisory history (V1.3 through V2.6). Users must check the full SSA-473245 document.
### Workarounds
For products where fixes are not planned or not yet available (e.g., DK Standard Ethernet Controller, EK-ERTEC 200, certain ET200ecoPN variants):
* Siemens recommends specific countermeasures detailed in the "Workarounds and Mitigations" section of the official advisory. (These specific countermeasures are not detailed in the provided text block but must be sought from the vendor).
* General mitigation often involves network segmentation and access control restricting the ability to send arbitrary traffic, especially UDP, to these control devices.
## Detection
- Indicators of compromise would likely involve an abnormal spike in network traffic (specifically UDP packets) directed to the affected PROFINET devices shortly before, or concurrent with, a service outage.
- Detection methods should focus on analyzing ingress network traffic targeting critical assets, specifically looking for high volumes of unexpected UDP datagrams.
## References
- Vendor Advisories:
- SSA-473245 (Current Version V2.7)
- Siemens Global Website Terms of Use: hxxps://www.siemens.com/terms_of_use