Siemens PROFINET-IO Stack Uncontrolled Resource Consumption (CVE-2019-13946)

high Tenable OT Security Plugin ID 500356

Synopsis

The remote OT asset is affected by a vulnerability.

Description

Profinet-IO (PNIO) stack versions prior V06.00 do not properly limit internal resource allocation when multiple legitimate diagnostic package requests are sent to the DCE-RPC interface. This could lead to a denial of service condition due to lack of memory for devices that include a vulnerable version of the stack. The security vulnerability could be exploited by an attacker with network access to an affected device. Successful exploitation requires no system privileges and no user interaction. An attacker could use the vulnerability to compromise the availability of the device.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at CISA.gov.

Siemens has released updates for several affected products and recommends users update to the new version. Siemens is preparing further updates and recommends specific countermeasures until patches are available.

- SCALANCE X-200 switch family (incl. SIPLUS NET variants), All versions prior to v5.2.5: Update to v5.2.5 or later version
- SCALANCE XB-200, All versions prior to v3.0: Update to v4.1
- SCALANCE XC-200, All versions prior to v3.0: Update to v4.1
- SCALANCE XP-200, All versions prior to v3.0: Update to v4.1
- SCALANCE XF-200BA, All versions prior to v3.0: Update to v4.1
- SCALANCE XR-300WG, All versions prior to v3.0: Update to v4.1
- SCALANCE M-800, All versions prior to v4.3: Update to v6.1.2
- SCALANCE S615, All versions prior to v4.3: Update to v6.1.2
- Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200: Update to v4.5 Patch 01
- Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200P: Update to v4.6
- PROFINET Driver for Controller: Update to v2.1 Patch 03
- SCALANCE M-800 / S615: Update to v6.1.2
- SCALANCE W700 IEEE 802.11n: Update to v6.4
- SCALANCE X-200IRT switch family: Update to v5.4.2
- SCALANCE XB-200, XC-200, XP-200, XF-200BA and XR-300WG: Update to v4.1
- SCALANCE XM-400 switch family: Update to v6.2.3
- SCALANCE XR-500 switch family: Update to v6.2.3
- SIMATIC CP 1616 and CP 1604: Update to v2.8.1
- SIMATIC ET200MP IM155-5 PN HF: Update to v4.2.0
- SIMATIC ET200MP IM155-5 PN ST: Update to v4.1.0
- SIMATIC ET200SP IM155-6 PN HF: Update to v4.2.2
- SIMATIC ET200SP IM155-6 PN ST: pdate to v4.1.0
- SIMATIC RF600 family: Update to v3.2.1
- SINAMICS DCP: Update to v1.3
- SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants): Update to v4.1.4 or later

- SIMATIC NET CP 443-1 Advanced (incl. SIPLUS variants): Currently no fix planned
- SIMATIC NET CP 443-1 (incl. SIPLUS variants): Currently no fix planned
- SIMATIC NET CP 443-1 OPC UA: Currently no fix planned

Siemens has identified the following specific workarounds and mitigations users can apply to reduce the risk:

- Block incoming DCE-RPC packets (port 34964/UDP) from untrusted networks
- SCALANCE M-800 / S615 and RUGGEDCOM RM1224: Create a firewall rule that blocks the PROFINET Context Manager Port (34964/UDP)
- Disable PROFINET in products, where PROFINET is optional and not used in your environment

As a general security measure, Siemens strongly recommends users protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends users configure the environment according to Siemens’ operational guidelines for Industrial Security, and follow the recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For more information, please see Siemens security advisory: SSA-780073

See Also

https://cert-portal.siemens.com/productcert/pdf/ssa-780073.pdf

https://www.cisa.gov/news-events/ics-advisories/icsa-20-042-04

Plugin Details

Severity: High

ID: 500356

Version: 1.13

Type: remote

Family: Tenable.ot

Published: 2/7/2022

Updated: 9/4/2024

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: High

Base Score: 7.8

Temporal Score: 5.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

CVSS Score Source: CVE-2019-13946

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:siemens:scalance_xf-200ba_firmware, cpe:/o:siemens:scalance_xr528_firmware, cpe:/o:siemens:simatic_et200m_im153-4_pn_io_hf_firmware, cpe:/o:siemens:scalance_xm-400_firmware, cpe:/o:siemens:simatic_et200pro_im154-3_pn_hf_firmware, cpe:/o:siemens:simatic_et200m_im153-4_pn_io_st_firmware, cpe:/o:siemens:scalance_xb-200_firmware, cpe:/o:siemens:scalance_x-200_firmware, cpe:/o:siemens:scalance_xc-200_firmware, cpe:/o:siemens:ruggedcom_rm1224_firmware, cpe:/o:siemens:scalance_x-400_firmware, cpe:/o:siemens:scalance_xr-300wg_firmware, cpe:/o:siemens:simatic_et200al_im_157-1_pn_firmware, cpe:/o:siemens:simatic_cp_343-1_firmware, cpe:/o:siemens:simatic_cp_443-1_opc_ua_firmware, cpe:/o:siemens:simatic_et200sp_im155-6_pn_hf_firmware, cpe:/o:siemens:simatic_et200sp_im155-6_pn_st_firmware, cpe:/o:siemens:scalance_xr-300_firmware, cpe:/o:siemens:scalance_xf-200_firmware, cpe:/o:siemens:simatic_et200ecopn_firmware, cpe:/o:siemens:scalance_xr524_firmware, cpe:/o:siemens:simatic_cp_443-1_advanced_firmware, cpe:/o:siemens:simatic_et200mp_im155-5_pn_hf_firmware, cpe:/o:siemens:simatic_et200s_firmware, cpe:/o:siemens:simatic_et200sp_im155-6_pn_basic_firmware, cpe:/o:siemens:simatic_cp_343-1_erpc_firmware, cpe:/o:siemens:scalance_xp-200_firmware, cpe:/o:siemens:simatic_cp_443-1_firmware, cpe:/o:siemens:simatic_cp_343-1_advanced_firmware, cpe:/o:siemens:scalance_s615_firmware, cpe:/o:siemens:scalance_xr552_firmware, cpe:/o:siemens:scalance_m-800_firmware, cpe:/o:siemens:simatic_cp_343-1_lean_firmware, cpe:/o:siemens:scalance_xr526_firmware, cpe:/o:siemens:scalance_w700_ieee_802.11n_firmware, cpe:/o:siemens:simatic_et200mp_im155-5_pn_st_firmware, cpe:/o:siemens:simatic_et200pro_im154-4_pn_hf_firmware, cpe:/o:siemens:simatic_cp_1616_firmware, cpe:/o:siemens:scalance_x-300_firmware, cpe:/o:siemens:simatic_cp_1604_firmware, cpe:/o:siemens:scalance_x-200irt_firmware

Required KB Items: Tenable.ot/Siemens

Exploit Ease: No known exploits are available

Patch Publication Date: 2/11/2020

Vulnerability Publication Date: 2/11/2020

Reference Information

CVE: CVE-2019-13946

CWE: 400

ICSA: 20-042-04