Full Report
Products that include the Siemens PROFINET-IO (PNIO) stack in versions prior V06.00 are potentially affected by a denial of service vulnerability when multiple legitimate diagnostic package requests are sent to the DCE-RPC interface. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for products where fixes are not, or not yet available. Additionally, Siemens recommends other vendors of PROFINET devices to check if their products have incorporated a vulnerable version of the Siemens PNIO stack as part of the Siemens Development/Evaluation Kits.
Analysis Summary
# Vulnerability: Denial of Service in Siemens PROFINET-IO Stack via DCE-RPC
## CVE Details
- CVE ID: CVE-2019-13946
- CVSS Score: 7.5 (High)
- CWE: Not explicitly listed in summary, but implied weakness relates to improper handling of legitimate diagnostic requests.
## Affected Systems
- Products:
* Development/Evaluation Kits for PROFINET IO: DK Standard Ethernet Controller (All versions)
* Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200 (Versions < V4.5)
* Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200P (Versions < V4.6)
* PROFINET Driver for Controller (Versions < V2.1)
* SCALANCE M-800 family (incl. S615, MUM-800 and RM1224)
* RUGGEDCOM RM1224 family (6GK6108-4AM00) (Versions < V4.3)
* SCALANCE M804PB (6GK5804-0AP00-2AA2) (Versions < V4.3)
* *And several other specific Siemens products/variants built on the PNIO stack prior to V06.00.*
- Versions: Siemens PROFINET-IO (PNIO) stack in versions prior to V06.00. Specific product version details are in the table above.
- Configurations: Affects standard PROFINET devices utilizing the vulnerable stack version, triggered by sending multiple legitimate diagnostic package requests.
## Vulnerability Description
The vulnerability resides within the Siemens PROFINET-IO (PNIO) stack in versions prior to V06.00. It is a Denial of Service (DoS) vulnerability that can be triggered by sending multiple, legitimate diagnostic package requests directed at the DCE-RPC interface of the affected product. This excessive legitimate traffic leads to an unavailability state on the device.
## Exploitation
- Status: Not explicitly stated as exploited in the wild, but PoC mechanisms (sending legitimate requests) are inherent to triggering the flaw.
- Complexity: Likely Low, as exploitation relies on sending crafted (though legitimate-looking) diagnostic package requests.
- Attack Vector: Network (The vulnerability is triggered over the PROFINET interface).
## Impact
- Confidentiality: No specific impact mentioned.
- Integrity: No specific impact mentioned.
- Availability: **High Impact.** The vulnerability leads to a Denial of Service (DoS).
## Remediation
### Patches
Updates are required for specific products:
* **EK-ERTEC 200:** Update to V4.5 Patch 01.
* **EK-ERTEC 200P:** Update to V4.6.
* **PROFINET Driver for Controller:** Update to V2.1 Patch 03.
* **SCALANCE M-800 family (incl. S615, MUM-800 and RM1224) / RUGGEDCOM RM1224 family / SCALANCE M804PB:** Update to V6.1.2 or later version.
* Vendors utilizing the PNIO stack should check for patches provided by Siemens for their integrated components.
### Workarounds
1. **Firewall Rule (For relevant SCALANCE/RM1224 devices):** Create a firewall rule that blocks the PROFINET Context Manager port (UDP/34964).
2. **General Countermeasures:** Siemens recommends specific countermeasures for products where no fix is currently available (details are in the referenced advisory).
3. **Third-Party Vendor Action:** Other vendors integrating Siemens PNIO development/evaluation kits are strongly recommended to check if they have incorporated a vulnerable version.
## Detection
- Detection methods focus on monitoring network traffic on the PROFINET interface for an unusual volume of diagnostic package requests directed at the DCE-RPC endpoint that triggers the DoS condition.
## References
- Siemens ProductCERT Advisory SSA-780073: hxxps://www.siemens.com/cert/advisories
- Siemens Security Advisory by Siemens ProductCERT SSA-780073: hxxps://cert-portal.siemens.com/productcert/html/ssa-780073.html