Denial of Service Vulnerability in Siemens PROFINET Products
CVE-2017-2680

6.5MEDIUM

Key Information:

Vendor

Siemens
Status
Development/evaluation Kits For Profinet Io: Dk Standard Ethernet Controller
Development/evaluation Kits For Profinet Io: Ek-ertec 200
Development/evaluation Kits For Profinet Io: Ek-ertec 200p
Extension Unit 12" Profinet
Vendor
CVE Published:
11 May 2017

What is CVE-2017-2680?

This vulnerability allows specially crafted PROFINET DCP broadcast packets to induce a denial of service condition on affected Siemens products operating within a local Ethernet segment (Layer 2). Recovery from this state necessitates human intervention. Devices employing PROFIBUS interfaces remain unaffected. It is important for organizations utilizing Siemens PROFINET devices to assess their network security measures and implement strategies to mitigate potential risks associated with this flaw.

Affected Version(s)

Development/Evaluation Kits for PROFINET IO: DK Standard Ethernet Controller All versions < V4.1.1 Patch04

Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200 All versions < V4.2.1 Patch03

Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200P All versions < V4.4.0 Patch01

References

http://www.securitytracker.com/id/1038463
vdb-entryx_refsource_SECTRACK
http://www.securityfocus.com/bid/98369
vdb-entryx_refsource_BID
https://cert-portal.siemens.com/productcert/pdf/ssa-54683...
x_refsource_CONFIRM

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Adjacent Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.