Full Report
A vulnerability in affected devices could allow an attacker to perform a denial ofservice attack if a large amount of Profinet Discovery and Configuration Protocol (DCP) reset packets is sent to the affected devices. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Denial of Service in Siemens PROFINET Devices
## CVE Details
- **CVE ID:** CVE-2020-28400
- **CVSS Score:** 7.5 (High) [v3.1] / 8.7 (High) [v4.0]
- **CWE:** CWE-770 (Allocation of Resources Without Limits or Throttling)
## Affected Systems
- **Products:** Various Siemens PROFINET-enabled industrial components, including:
- **Development Kits:** DK Standard Ethernet Controller, EK-ERTEC 200, EK-ERTEC 200P.
- **Communication Modules:** SIMATIC CP 1616, CP 1626, SIMATIC IE/PB-LINK.
- **Controllers/PLCs:** SIMATIC S7-1200 CPU family (including SIPLUS).
- **Industrial Identification/Control:** SIMATIC MV540 H, SIMOCODE pro V Ethernet/IP.
- **Network Infrastructure:** SCALANCE switch families (X-200, X-300, XB-200, XC-200, XP-200, XR-300WG, XF-200), SCALANCE W-700/W-1700.
- **Software:** SIMATIC PROFINET Driver.
- **Versions:** specific version ranges apply (e.g., S7-1200 < V4.5; SIMATIC PROFINET Driver < V2.3).
- **Configurations:** High-volume traffic environment utilizing the PROFINET Discovery and Configuration Protocol (DCP).
## Vulnerability Description
Affected devices contain a flaw where they fail to properly throttle or limit the processing of PROFINET Discovery and Configuration Protocol (DCP) reset packets. An unauthenticated remote attacker can exploit this by flooding the device with a large volume of these specific packets, exhausting device resources and leading to a Denial of Service (DoS) condition.
## Exploitation
- **Status:** Not explicitly reported as exploited in the wild (per advisory text); No PoC link provided.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** High (The primary impact is the loss of device availability/operability).
## Remediation
### Patches
Siemens has released updates for several product lines. Key updates include:
- **SIMATIC S7-1200 CPU:** Update to V4.5 or later.
- **SIMATIC PROFINET Driver:** Update to V2.3 or later.
- **SIMOCODE pro V Ethernet/IP:** Update to V1.1.3 or later.
- **SCALANCE XB-200, XC-200, XP-200, XF-200, XR-300WG:** Various firmware updates available (refer to specific product support pages).
**Note:** For several legacy or specific hardware modules (e.g., CP 1616, IE/PB-LINK, EK-ERTEC 200), **no fix is planned**.
### Workarounds
For products where no fix is available, Siemens recommends:
- Disable the PROFINET protocol if it is not required for operation.
- Use VLANs to segment PROFINET traffic from the rest of the network.
- Implement specialized industrial firewalls or deep packet inspection (DPI) to filter unauthorized or excessive DCP traffic.
## Detection
- **Indicators of Compromise:** Sudden loss of device responsiveness or network timeouts specifically following a spike in UDP/PROFINET traffic.
- **Detection methods and tools:** Network monitoring tools capable of identifying high-frequency PROFINET DCP Reset frames (typically EtherType 0x8892).
## References
- **Vendor Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/pdf/ssa-599968[.]pdf
- **Siemens ProductCERT:** hxxps://www[.]siemens[.]com/cert/advisories
- **Technical Support:** hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/109793280/