Full Report
Several industrial controllers are affected by a security vulnerability that could allow an attacker to cause a denial of service condition via PROFINET DCP network packets under certain circumstances. Precondition for this scenario is a direct OSI Layer 2 access to the affected products. PROFIBUS interfaces are not affected. Siemens has released updates for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for products where updates are not, or not yet available.
Analysis Summary
# Vulnerability: Denial of Service in Siemens Industrial Products via PROFINET DCP
## CVE Details
- **CVE ID:** CVE-2018-4843
- **CVSS Score:** 6.5 (Medium)
- **CVSS Vector:** CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- **CWE:** CWE-20: Improper Input Validation
## Affected Systems
- **Products:**
- SIMATIC S7-400 CPU 414/416 PN/DP V7 (and SIPLUS variants)
- SIMATIC CP 343-1 & CP 343-1 Advanced (and SIPLUS variants)
- SIMATIC CP 443-1 & CP 443-1 Advanced (6GK7443-1EX30-0XE0/1 and 6GK7443-1GX30-0XE0)
- SIMATIC ET 200pro IM154-8/8F PN/DP CPU
- SIMATIC S7-300 CPU family (various models)
- SIMATIC WinAC RTX (F) 2010
- SINUMERIK 828D
- **Versions:** Multiple versions prior to the remediation releases (e.g., S7-400 V7 < V7.0.3; CP 443-1 < V3.3; ET 200pro < V3.2.16).
- **Configurations:** Systems utilizing PROFINET interfaces. PROFIBUS interfaces are explicitly NOT affected.
## Vulnerability Description
The affected industrial controllers and communication processors contain an improper input validation flaw. An attacker can trigger a Denial of Service (DoS) condition by sending specially crafted PROFINET Discovery and Configuration Protocol (DCP) network packets to the device. This causes the device to enter a state where it can no longer process traffic or perform its control functions, requiring a manual restart or intervention to restore service.
## Exploitation
- **Status:** PoC Available (Exploitation evidence 'P' in CVSS vector).
- **Complexity:** Low
- **Attack Vector:** Adjacent (Requires direct OSI Layer 2 access to the affected products/network).
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** High (Total loss of service/functionality of the controller).
## Remediation
### Patches
Siemens has released updates for several product lines. Key updates include:
- **SIMATIC S7-400 CPU V7:** Update to V7.0.3 or later.
- **SIMATIC CP 443-1 / Advanced:** Update to V3.3 or later.
- **SIMATIC ET 200pro IM154-8:** Update to V3.2.16 or later.
- **SINUMERIK 828D:** Update to V4.7 SP6 HF1 or later.
### Workarounds
For products where no fix is planned (e.g., SIMATIC CP 343-1) or not yet applied:
- **Layer 2 Separation:** Ensure that the PROFINET network is strictly isolated from untrusted networks.
- **Access Control:** Restrict physical and logical access to the Layer 2 network segment to authorized personnel and devices only.
- **Defense-in-Depth:** Apply the Siemens "Industrial Security" concept.
## Detection
- **Indicators of Compromise:** Unexpected CPU stops, loss of communication with Engineering Stations or HMIs, and logs indicating malformed PROFINET DCP traffic.
- **Detection methods and tools:** Monitoring of Layer 2 traffic for anomalous PROFINET DCP packets using Industrial Intrusion Detection Systems (IIDS).
## References
- **Vendor Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/pdf/ssa-592007[.]pdf
- **Siemens Support Portal:** hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/109752685/
- **Advisory Documentation:** hxxps://cert-portal[.]siemens[.]com/productcert/html/ssa-592007[.]html