CVE-2020-28400 in SCALANCEinfo

Summary

by MITRE • 07/13/2021

A vulnerability has been identified in Development/Evaluation Kits for PROFINET IO: DK Standard Ethernet Controller (All versions), Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200 (All versions), Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200P (All versions), RUGGEDCOM RM1224 (All Versions < 6.4), SCALANCE M-800 (All Versions < 6.4), SCALANCE S615 (All Versions < 6.4), SCALANCE W1700 IEEE 802.11ac (All versions), SCALANCE W700 IEEE 802.11n (All versions), SCALANCE X200-4 P IRT (All Versions < V5.5.0), SCALANCE X201-3P IRT (All Versions < V5.5.0), SCALANCE X201-3P IRT PRO (All Versions < V5.5.0), SCALANCE X202-2 IRT (All Versions < V5.5.0), SCALANCE X202-2P IRT (incl. SIPLUS NET variant) (All Versions < V5.5.0), SCALANCE X202-2P IRT PRO (All Versions < V5.5.0), SCALANCE X204 IRT (All Versions < V5.5.0), SCALANCE X204 IRT PRO (All Versions < V5.5.0), SCALANCE X204-2 (incl. SIPLUS NET variant) (All versions), SCALANCE X204-2FM (All versions), SCALANCE X204-2LD (incl. SIPLUS NET variant) (All versions), SCALANCE X204-2LD TS (All versions), SCALANCE X204-2TS (All versions), SCALANCE X206-1 (All versions), SCALANCE X206-1LD (incl. SIPLUS NET variant) (All versions), SCALANCE X208 (incl. SIPLUS NET variant) (All versions), SCALANCE X208PRO (All versions), SCALANCE X212-2 (All versions), SCALANCE X212-2LD (All versions), SCALANCE X216 (All versions), SCALANCE X224 (All versions), SCALANCE X302-7EEC (All versions), SCALANCE X304-2FE (All versions), SCALANCE X306-1LDFE (All versions), SCALANCE X307-2EEC (All versions), SCALANCE X307-3 (All versions), SCALANCE X307-3LD (All versions), SCALANCE X308-2 (incl. SIPLUS NET variant) (All versions), SCALANCE X308-2LD (All versions), SCALANCE X308-2LH (All versions), SCALANCE X308-2LH+ (All versions), SCALANCE X308-2M (All versions), SCALANCE X308-2M POE (All versions), SCALANCE X308-2M TS (All versions), SCALANCE X310 (All versions), SCALANCE X310FE (All versions), SCALANCE X320-1FE (All versions), SCALANCE X320-3LDFE (All versions), SCALANCE XB-200 (All versions), SCALANCE XC-200 (All versions), SCALANCE XF-200BA (All versions), SCALANCE XF201-3P IRT (All Versions < V5.5.0), SCALANCE XF202-2P IRT (All Versions < V5.5.0), SCALANCE XF204 (All versions), SCALANCE XF204 IRT (All Versions < V5.5.0), SCALANCE XF204-2 (incl. SIPLUS NET variant) (All versions), SCALANCE XF204-2BA IRT (All Versions < V5.5.0), SCALANCE XF206-1 (All versions), SCALANCE XF208 (All versions), SCALANCE XM400 (All versions < V6.3.1), SCALANCE XP-200 (All versions), SCALANCE XR-300WG (All versions), SCALANCE XR324-12M (All versions), SCALANCE XR324-12M TS (All versions), SCALANCE XR324-4M EEC (All versions), SCALANCE XR324-4M POE (All versions), SCALANCE XR324-4M POE TS (All versions), SCALANCE XR500 (All versions < V6.3.1), SIMATIC CFU PA (All versions), SIMATIC IE/PB-LINK V3 (All versions), SIMATIC MV500 family (All versions < V3.0), SIMATIC NET CM 1542-1 (All versions), SIMATIC NET CP1616/CP1604 (All Versions >= V2.7), SIMATIC NET CP1626 (All versions), SIMATIC NET DK-16xx PN IO (All Versions >= V2.7), SIMATIC PROFINET Driver (All versions), SIMATIC Power Line Booster PLB, Base Module (MLFB: 6ES7972-5AA10-0AB0) (All versions), SIMATIC S7-1200 CPU family (incl. SIPLUS variants) (All Versions < V4.5), SIMOCODE proV Ethernet/IP (All versions < V1.1.3), SIMOCODE proV PROFINET (All versions < V2.1.3), SOFTNET-IE PNIO (All versions). Affected devices contain a vulnerability that allows an unauthenticated attacker to trigger a denial-of-service condition. The vulnerability can be triggered if a large amount of DCP reset packets are sent to the device.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 12/10/2024

This vulnerability resides within industrial network equipment and communication modules that implement PROFINET IO protocols, specifically affecting a wide range of ruggedized networking devices from various manufacturers including Siemens and RuggedCom. The flaw manifests as a denial-of-service condition that can be triggered through the injection of excessive DCP reset packets, which are part of the Device Configuration Protocol used in PROFINET networks for device discovery and configuration. The vulnerability affects both development and evaluation kits as well as production-grade industrial networking equipment, spanning multiple device families and firmware versions across several manufacturers' product lines. This represents a significant security concern for industrial control systems where network availability is critical for operational continuity. The vulnerability is categorized under CWE-400, which addresses "Uncontrolled Resource Consumption" or "Resource Exhaustion," specifically manifesting as a denial-of-service attack through packet flooding.

The technical mechanism of exploitation involves sending a large volume of DCP reset packets to target devices, which causes the system to consume excessive resources during processing of these packets. The DCP protocol is designed to allow network configuration and device identification within PROFINET networks, but the implementation lacks adequate rate limiting or packet validation mechanisms to prevent resource exhaustion. When overwhelmed with these reset packets, the affected devices become unresponsive to legitimate network traffic, effectively rendering them unavailable for their intended industrial control functions. This type of attack falls under the ATT&CK technique T1499.004, "Elevated Execution with Systemd Service," though more accurately represents a resource exhaustion attack against industrial network protocols. The vulnerability impacts devices across multiple generations of firmware, with specific version thresholds indicating that certain releases have not received the necessary security patches to prevent this condition.

The operational impact of this vulnerability extends beyond simple network disruption to potentially compromise industrial automation and control processes that depend on these network devices. In critical infrastructure environments such as manufacturing plants, oil and gas facilities, or power generation stations, the denial-of-service condition could result in production halts, safety system failures, or emergency shutdowns. The affected devices include both edge networking equipment and core industrial controllers, making this vulnerability particularly dangerous as it can affect multiple layers of industrial network architecture. The fact that this vulnerability affects both development kits and production equipment indicates a systemic issue in the security design of these industrial networking solutions. Organizations using these devices face the risk of operational downtime that could cost millions of dollars in lost productivity and potential safety hazards.

Mitigation strategies for this vulnerability should focus on implementing network segmentation and access controls to limit exposure to unauthorized network traffic. Network administrators should deploy rate limiting mechanisms at network boundaries to prevent excessive DCP packet flooding, while also implementing proper firewall rules to restrict DCP traffic to trusted network segments only. Device firmware updates should be applied immediately to versions that contain patches addressing the resource exhaustion issue, with particular attention to the specified version thresholds mentioned in the vulnerability description. Network monitoring should be enhanced to detect unusual patterns of DCP traffic that could indicate an ongoing attack, and intrusion detection systems should be configured to alert on abnormal packet volumes. The vulnerability also highlights the importance of secure network design principles and the need for industrial network equipment to implement proper resource management and rate limiting to prevent similar attacks. Organizations should conduct regular security assessments of their industrial network infrastructure to identify and remediate similar vulnerabilities before they can be exploited by malicious actors.

Reservation

11/10/2020

Disclosure

07/13/2021

Moderation

accepted

CPE

ready

EPSS

0.01856

KEV

no

Activities

very low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!