**ATTENTION:**Exploitable from an adjacent network/low skill level to exploit.
Vendor: Siemens
Equipment: Devices using the PROFINET Discovery and Configuration Protocol (DCP)
Vulnerability: Denial of Service
This updated advisory is a follow-up to the updated advisory titled ICSA-17-129-02E Siemens devices using the PROFINET Discovery and Configuration Protocol that was published October 10, 2017, on the NCCIC/ICS-CERT web site.
--------- Begin Update F Part 1 of 2 --------
Siemens reports that these vulnerabilities affect the following products using PROFINET DCP:
--------- End Update F Part 1 of 2 ----------
Successful exploitation of these vulnerabilities could cause the targeted device to enter a denial-of-service condition, which may require human interaction to recover the system.
The attacker must have network access to the local Ethernet segment (Layer 2).
Siemens strongly recommends verifying the affected products are protected as described in PROFINET Security Guidelines and Siemens Operational Guidelines in order to run the devices in a protected IT environment.
<http://www.profibus.com/download/downloads/profinet-security-guideline/display/>
<https://www.siemens.com/cert/operational-guidelines-industrial-security>
--------- Begin Update F Part 2 of 2 --------
Siemens provides firmware updates fixing the vulnerabilities for the following affected products and recommends users update to the new fixed version:
<https://support.industry.siemens.com/cs/ww/en/view/109745387>
<https://support.industry.siemens.com/cs/ww/en/view/109745388>
<https://support.industry.siemens.com/cs/ww/en/view/109749515>
<https://support.industry.siemens.com/cs/ww/en/view/109744924>
<https://support.industry.siemens.com/cs/ww/en/view/109749255>
<https://support.industry.siemens.com/cs/ww/en/view/109747253>
<https://support.industry.siemens.com/cs/ww/en/view/109743740>
<https://support.industry.siemens.com/cs/ww/en/view/109743058>
<https://support.industry.siemens.com/cs/ww/en/view/109748080>
<https://support.industry.siemens.com/cs/ww/en/view/109747276>
<https://support.industry.siemens.com/cs/ww/en/view/109748934>
<https://support.industry.siemens.com/cs/ww/en/view/109748937>
<https://support.industry.siemens.com/cs/ww/en/view/109744953>
<https://support.industry.siemens.com/cs/ww/en/view/109750006>
<https://support.industry.siemens.com/cs/ww/en/view/109747482>
<https://support.industry.siemens.com/cs/ww/en/view/109744504>
<https://support.industry.siemens.com/cs/ww/en/view/102295547>
<https://support.industry.siemens.com/cs/ww/en/view/79207181>
<https://support.industry.siemens.com/cs/ww/en/view/109479281>
<https://support.industry.siemens.com/cs/de/de/view/78648144>
<https://support.industry.siemens.com/cs/de/en/view/109749637>
Updates for Development/Evaluation Kits for PROFINET IO can be obtained via ComDeC at [email protected] or [email protected]
<https://w3.siemens.com/aspa_app/>
<https://support.industry.siemens.com/cs/ww/de/ps/13752/dl> or
<https://support.industry.siemens.com/cs/ww/en/ps/13752/dl>
<https://support.industry.siemens.com/cs/document/109474550>
<https://support.industry.siemens.com/cs/ww/en/view/109476571>
<https://support.industry.siemens.com/cs/ww/en/view/109741461>
<https://support.industry.siemens.com/cs/ww/en/view/109478459>
<https://support.industry.siemens.com/cs/ww/en/view/109478528>
<https://support.industry.siemens.com/cs/ww/en/view/44029688>
<https://support.industry.siemens.com/cs/ww/en/view/109482659>
<https://support.industry.siemens.com/cs/ww/en/view/103433117>
<https://support.industry.siemens.com/cs/ww/en/view/109742040>
<https://support.industry.siemens.com/cs/de/en/view/109474320>
<https://support.industry.siemens.com/cs/de/en/view/92522512>
<https://support.industry.siemens.com/cs/de/en/view/109740193>
<https://support.industry.siemens.com/cs/ww/en/view/103433117>
<https://support.industry.siemens.com/cs/ww/en/view/109742040>
<https://support.industry.siemens.com/cs/document/109746210>
<https://support.industry.siemens.com/cs/ww/en/view/109742328>
SINUMERIK software can be obtained from the local Siemens account manager
SINUMERIK software can be obtained from the local Siemens account manager
SINUMERIK software can be obtained from the local Siemens account manager.
--------- End Update F Part 2 of 2 ----------
Siemens is preparing updates for the remaining affected products and recommends the following mitigations in the meantime:
As a general security measure Siemens and PNO strongly recommend protecting industrial control systems networks with appropriate mechanisms. Siemens encourages users to verify that the affected products are protected as described in PNO Security Guidelines and Siemens operational guidelines in order to run the devices in a protected IT environment.
<https://www.siemens.com/cert/operational-guidelines-industrial-security>
For more information on these vulnerabilities and more detailed mitigation instructions, please see Siemens Security Advisory SSA-293562 at the following location:
<http://www.siemens.com/cert/en/cert-security-advisories.htm>
ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available in the ICSβCERT Technical Information Paper, ICS-TIP-12-146-01BβTargeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
No known public exploits specifically target these vulnerabilities.
Specially crafted PROFINET DCP broadcast packets could cause a denial-of-service condition of affected products on a local Ethernet segment (Layer 2). Human interaction is required to recover the systems. PROFIBUS interfaces are not affected.
CVE-2017-2680 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Specially crafted PROFINET DCP packets sent on a local Ethernet segment (Layer 2) to an affected product could cause a denial-of-service condition in that product. Human interaction is required to recover the system. PROFIBUS interfaces are not affected.
This vulnerability affects only SIMATIC HMI Multi Panels and HMI Mobile Panels, and S7-300/S7-400 devices.
CVE-2017-2681 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
Duan JinTong, Ma ShaoShuai, and Cheng Lei from NSFOCUS Security Team reported these vulnerabilities directly to Siemens.
Critical Infrastructure Sectors: Critical Manufacturing, Food and Agriculture, Chemical, Energy, Water and Wastewater Systems
Countries/Areas Deployed: Worldwide
**Company Headquarters Location:**Germany
ics-cert.us-cert.gov
ics-cert.us-cert.gov
twitter.com/icscert
twitter.com/icscert
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2680
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2681
www.addthis.com/bookmark.php?url=https%3A%2F%2Fics-cert.us-cert.gov%2Fadvisories%2FICSA-17-129-02F
www.dhs.gov
www.dhs.gov/report-cyber-risks
www.profibus.com/download/downloads/profinet-security-guideline/display/
www.siemens.com/cert/en/cert-security-advisories.htm
www.us-cert.gov/accessibility/
www.us-cert.gov/pdf/
www.us-cert.gov/privacy/
www.us-cert.gov/tlp/
www.us-cert.gov/tlp/
cwe.mitre.org/data/definitions/20.html
cwe.mitre.org/data/definitions/20.html
ics-cert.us-cert.gov/
ics-cert.us-cert.gov/content/recommended-practices
ics-cert.us-cert.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
ics-cert.us-cert.gov/tips/ICS-TIP-12-146-01B
support.industry.siemens.com/cs/de/de/view/78648144
support.industry.siemens.com/cs/de/en/view/109474320
support.industry.siemens.com/cs/de/en/view/109740193
support.industry.siemens.com/cs/de/en/view/109749637
support.industry.siemens.com/cs/de/en/view/92522512
support.industry.siemens.com/cs/document/109474550
support.industry.siemens.com/cs/document/109746210
support.industry.siemens.com/cs/ww/de/ps/13752/dl
support.industry.siemens.com/cs/ww/en/ps/13752/dl
support.industry.siemens.com/cs/ww/en/view/102295547
support.industry.siemens.com/cs/ww/en/view/103433117
support.industry.siemens.com/cs/ww/en/view/103433117
support.industry.siemens.com/cs/ww/en/view/109476571
support.industry.siemens.com/cs/ww/en/view/109478459
support.industry.siemens.com/cs/ww/en/view/109478528
support.industry.siemens.com/cs/ww/en/view/109479281
support.industry.siemens.com/cs/ww/en/view/109482659
support.industry.siemens.com/cs/ww/en/view/109741461
support.industry.siemens.com/cs/ww/en/view/109742040
support.industry.siemens.com/cs/ww/en/view/109742040
support.industry.siemens.com/cs/ww/en/view/109742328
support.industry.siemens.com/cs/ww/en/view/109743058
support.industry.siemens.com/cs/ww/en/view/109743740
support.industry.siemens.com/cs/ww/en/view/109744504
support.industry.siemens.com/cs/ww/en/view/109744924
support.industry.siemens.com/cs/ww/en/view/109744953
support.industry.siemens.com/cs/ww/en/view/109745387
support.industry.siemens.com/cs/ww/en/view/109745388
support.industry.siemens.com/cs/ww/en/view/109747253
support.industry.siemens.com/cs/ww/en/view/109747276
support.industry.siemens.com/cs/ww/en/view/109747482
support.industry.siemens.com/cs/ww/en/view/109748080
support.industry.siemens.com/cs/ww/en/view/109748934
support.industry.siemens.com/cs/ww/en/view/109748937
support.industry.siemens.com/cs/ww/en/view/109749255
support.industry.siemens.com/cs/ww/en/view/109749515
support.industry.siemens.com/cs/ww/en/view/109750006
support.industry.siemens.com/cs/ww/en/view/44029688
support.industry.siemens.com/cs/ww/en/view/79207181
twitter.com/share?url=https%3A%2F%2Fics-cert.us-cert.gov%2Fadvisories%2FICSA-17-129-02F
w3.siemens.com/aspa_app/
www.facebook.com/sharer.php?u=https%3A%2F%2Fics-cert.us-cert.gov%2Fadvisories%2FICSA-17-129-02F
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
www.siemens.com/cert/operational-guidelines-industrial-security
www.siemens.com/cert/operational-guidelines-industrial-security
www.us-cert.gov/forms/feedback?helpful=no&document=ICSA-17-129-02F Siemens devices using the PROFINET Discovery and Configuration Protocol (Update F)&trackingNumber=&url=https://ics-cert.us-cert.gov/advisories/ICSA-17-129-02F&site_name=ICS-CERT
www.us-cert.gov/forms/feedback?helpful=somewhat&document=ICSA-17-129-02F Siemens devices using the PROFINET Discovery and Configuration Protocol (Update F)&trackingNumber=&url=https://ics-cert.us-cert.gov/advisories/ICSA-17-129-02F&site_name=ICS-CERT
www.us-cert.gov/forms/feedback?helpful=yes&document=ICSA-17-129-02F Siemens devices using the PROFINET Discovery and Configuration Protocol (Update F)&trackingNumber=&url=https://ics-cert.us-cert.gov/advisories/ICSA-17-129-02F&site_name=ICS-CERT