Denial of Service Vulnerability in Siemens PROFINET IO Products
CVE-2019-19300

7.5HIGH

Key Information:

Vendor: Siemens
Status: Development/evaluation Kits For Profinet Io: Ek-ertec 200; Development/evaluation Kits For Profinet Io: Ek-ertec 200p; Ktk Ate530s; Sidoor Atd430w
Vendor: CVE Published:; 14 April 2020

Summary

A vulnerability has been discovered in the Interniche-based TCP Stack used by various Siemens PROFINET IO products. This vulnerability allows an attacker to force the stack into making prohibitively expensive calls for each incoming packet. As a result, this can exhaust system resources and lead to a denial of service condition, disrupting normal operations of affected devices.

Affected Version(s)

Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200 All versions

Development/Evaluation Kits for PROFINET IO: EK-ERTEC 200P All versions

KTK ATE530S All versions

References

https://cert-portal.siemens.com/productcert/pdf/ssa-59327...

https://cert-portal.siemens.com/productcert/html/ssa-5932...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 14, 2020
Vulnerability Reserved
Nov 26, 2019