Blog

PROFINET vulnerability impacts wide range of Industrial Ethernet devices

David Wolf | February 24, 2020

PROFINET vulnerability impacts wide range of Industrial Ethernet devices

Updates:

  • March 18: Forescout customers using SilentDefense can now detect Siemens and Moxa devices with vulnerable firmware versions. To access Forescout’s SilentDefense latest Vulnerability Database, which includes detection for Siemens CVE-2019-13946 and Moxa CVE-2019-19707, ask your OT account representative.

Dozens of critical Industrial Ethernet devices have been rendered vulnerable, as security researchers discovered a weakness in the Siemens-built PROFINET-IO stack responsible for handling packets used in routine device management. The issue is serious—overloading a device with multiple diagnostic packets may allow an unskilled attacker (or unwitting end-user) to easily knock impacted devices offline. The impacted devices are common to operational technology (OT) environments with high-availability requirements in the Energy, Oil and Gas, Smart Transportation, and Critical Manufacturing sectors.

Security researchers from Israeli startup OTORIO responsibly disclosed the discovery in August, and patches have since been issued for many impacted devices. CISA’s ICS-CERT also issued an advisory for the issue, while Siemens issued security advisory SSA-780073. Other industrial devices relying on the Siemens PROFINET-IO (PNIO) stack are also affected, including Moxa EDS Ethernet Switches. Siemens has further advised that devices made by other vendors using the stack may also be impacted.

What do we expect?

While the greatest impact will likely be to the range of Siemens devices using chipsets affected by the vulnerability, the issue is not Siemens-specific—the issue is with protocol implementation, so results will vary by vendor. Other vendors beyond Moxa and Siemens will likely be issuing advisories in the coming months. According to the Profibus Users Group “by the end of 2018, a total of 26 million PROFINET devices were working to automate production.”

Typically, protocol abuses require malformed packets that can be identified through packet inspection and anomaly detection, but in this case, a series of legitimate diagnostic packets can render a device unusable. Since the primary functionality of the packets is intended by design, mitigating the issue will prove difficult in many environments.

As described by the OTORIO researchers, “failing to patch the vulnerability could have hazardous consequences including power outages, failure of traffic control systems, disrupted operations and more.” Due to the ease of execution and difficulty in detecting the as-designed functionality as being malicious, the exploit will be an attractive addition to ICS-specific exploit kits.

We expect the prolonged vendor impact to be similar to the URGENT/11 vulnerabilities, which brought a series of affected vendors to issue advisories for months following the initial public disclosure. The issue is serious enough that even vendors not impacted may be required to issue bulletins addressing the issue, even to just reassure their industrial customers of no impact.

Recommendations

  • The existing guidance from both Siemens and ICS-CERT lacks the details and range of effective mitigations that we as practitioners would hope to find.
  • Both Siemens and Moxa are still working on issuing patches for some affected products—customers are recommended to update their devices as patches become available.
  • Forescout customers using SilentDefense can now detect Siemens and Moxa devices with vulnerable firmware versions.

To access Forescout’s SilentDefense latest Vulnerability Database, which includes detection for Siemens CVE-2019-13946 and Moxa CVE-2019-19707, ask your OT account representative.

  1. https://www.otorio.com/blog/posts/vulnerability-in-siemens-devices-used-for-critical-infrastructure
  2. https://www.us-cert.gov/ics/advisories/icsa-20-042-04
  3. https://cert-portal.siemens.com/productcert/pdf/ssa-780073.pdf
  4. https://www.us-cert.gov/ics/advisories/icsa-19-353-01
  5. https://profibusgroup.com/2019/05/16/profinet-profibus-node-count-tops-87-million-in-2018/
  6. https://www.forescout.com/company/blog/solving-urgent11-identifying-vxworks-and-defending-ot-devices/