CVE-2019-13946

7.5HIGH

Key Information:

Vendor: Siemens
Status: Development/evaluation Kits For Profinet Io: Dk Standard Ethernet Controller; Development/evaluation Kits For Profinet Io: Ek-ertec 200; Development/evaluation Kits For Profinet Io: Ek-ertec 200p; Profinet Driver For Controller
Vendor: CVE Published:; 11 February 2020

Summary

Profinet-IO (PNIO) stack versions prior V06.00 do not properly limit internal resource allocation when multiple legitimate diagnostic package requests are sent to the DCE-RPC interface. This could lead to a denial of service condition due to lack of memory for devices that include a vulnerable version of the stack.

The security vulnerability could be exploited by an attacker with network access to an affected device. Successful exploitation requires no system privileges and no user interaction. An attacker could use the vulnerability to compromise the availability of the device.

Affected Version(s)

Development/Evaluation Kits for PROFINET IO: DK Standard Ethernet Controller 0

Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200 All Versions < V4.5

Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200P All Versions < V4.6

References

https://cert-portal.siemens.com/productcert/pdf/ssa-78007...

https://cert-portal.siemens.com/productcert/html/ssa-7800...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 11, 2020
Vulnerability Reserved
Jul 18, 2019