Full Report
A vulnerability exists in affected products that could allow remote attackers to affect the availability of the devices under certain conditions. The underlying TCP stack can be forced to make very computation expensive calls for every incoming packet which can lead to a Denial-of-Service. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens recommends countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: SegmentSmack in InterNiche IP-Stack (Siemens Industrial Devices)
## CVE Details
- **CVE ID:** CVE-2019-19300
- **CVSS Score:** 7.5 (High)
- **CVSS Vector:** `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
- **CWE:** CWE-400 (Uncontrolled Resource Consumption)
## Affected Systems
- **Products:**
- Development/Evaluation Kits for PROFINET IO (EK-ERTEC 200/200P)
- SIMATIC ET 200 series (AL, eco PN, MP, SP, pro)
- SIPLUS ET 200 variants
- SIMATIC S7-300 and S7-400 CPU families (including SIPLUS variants)
- SIMATIC S7-410 V8 and V10 CPU families
- SIDOOR ATD430W, ATE530S, ATE531S
- KTK ATE530S
- **Versions:** Multiple versions affected (Consult specific product tables in the advisory).
- **Configurations:** Devices utilizing the InterNiche TCP/IP stack for network communications.
## Vulnerability Description
The vulnerability, commonly known as **SegmentSmack**, resides in the InterNiche IP stack. It occurs when the stack processes a sequence of specially crafted TCP segments. Because of how the stack manages reassembly buffers, an attacker can force the CPU to perform extremely computationally expensive calls for every subsequent incoming packet. This resource exhaustion leads to a persistent Denial-of-Service (DoS) condition, rendering the device unresponsive.
## Exploitation
- **Status:** PoC available (Proof of Concept exists).
- **Complexity:** Low
- **Attack Vector:** Network (Remote exploitation possible without authentication).
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** High (Device becomes unavailable or experiences significant performance degradation).
## Remediation
### Patches
Siemens has released updates for several product lines. Key updates include:
- **SIMATIC S7-410 V10 CPU:** Update to V10.1 or later.
- **SIMATIC S7-410 V8 CPU:** Update to V8.2.4 or later.
- **SIMATIC ET 200ecoPN (Specific IO-Link/RTD modules):** Update to V5.1.1 or later.
- **Note:** For many ET 200 modules and S7-300/400 legacy controllers, **no fix is currently planned**.
### Workarounds
- **Network Segmentation:** Minimize network exposure for affected devices; ensure they are not accessible via the Internet.
- **Firewalling:** Isolate the Control and Enterprise networks using a firewall and restrict communication to authorized stations only.
- **VPN:** Use secure tunneling (VPN) for any required remote access to the internal network.
## Detection
- **Indicators of Compromise:** High CPU utilization on the controller, loss of communication with the PLC, or intermittent timeouts in SCADA/HMI systems.
- **Detection methods:** Monitor network traffic for unusual sequences of small TCP segments aimed at the device's IP stack. Use Industrial Intrusion Detection Systems (IDS) with signatures specifically for SegmentSmack/CVE-2019-19300.
## References
- **Vendor Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/html/ssa-593272.html
- **General Inquiries:** hxxps://www[.]siemens[.]com/cert/advisories