A serious vulnerability was recently found in the Profinet industrial communication protocol exposes devices from Siemens, Moxa and possibly other vendors to denial-of-service (DoS) attacks.
The high-severity vulnerability was discovered last year by researchers at OTORIO, who found that an attacker could easily cause devices to enter a DoS condition — in some cases requiring a hard restart for recovery — by sending legitimate Profinet packets over the network.
According to the researchers, the vulnerability is so easy to exploit that it may be triggered by accident by an employee who misconfigures the network and can result in serious disruptions to operational processes.
The company’s researchers have confirmed that the vulnerability impacts products from Siemens and Moxa that use Profinet, but they believe products from other vendors may be affected as well. Tens of thousands of devices may be at risk of attacks, but warned that exploitation of the vulnerability is “almost impossible to detect.”
As the advisories are saying, this vulnerability is quite severe and it’s affecting the well-known protocol: Profinet-IO. Specifically, when multiple legitimate diagnostic requests (discovery packets) are sent to the DCE-RPC interface.
This protocol is mainly used to define the entire communication exchange (variables) between IO-Controllers (control devices: PLCs, DCS, etc.) and the IO-Devices (field devices: sensors, actuators, etc.) as well as for diagnostic purpose and parameter tuning.
As we can understand, this protocol is quite crucial for keeping the entire process working as expected and in a safe condition; therefore, an unexpected change of some variables’ values could lead to an instant shutdown (safety system triggered) or even worst scenarios.
Considering that we have more vendors than Moxa and Siemens relying on this standard protocol, we can assume that the potential range of affected devices could be even more.
Apart from patching the affected devices as soon as possible if it’s possible, the main suggestion coming from Siemens is to disable the Profinet protocol entirely, but let’s remember that this is also another scenario that cannot be accomplished all the time. In this latter scenario, organisations need to increase monitoring on their network in order to prevent potential attacks or operator’s mistakes.