OTORIO Finds Siemens Vulnerability Affecting Critical Infrastructure

11 Feb 2020

OTORIO’s researchers have recently discovered a vulnerability in a series of Siemens industrial devices. The vulnerability [CVE-2019-13946] is a DOS (denial of service) Uncontrolled Resource Consumption vulnerability. If exploited, it can be used by hackers to cause an affected device to shut down. Worse still, in some cases, the vulnerability can cause a device to be halted - requiring a hard restart.

The vulnerability discovered lays inside the implementation of the Profinet(R) stack in Siemens devices including distributed I/Os (SIMATIC ET200), communication modules (SIMATIC CP) and industrial switches (SCALANCE).

These devices are used among other things, to connect dispersed IoT devices with core systems, networks and processes and serve critical infrastructure in verticals ranging from power generation and distribution, Oil & Gas, Transportation, and more. Failing to patch the vulnerability could have hazardous consequences including power outages, failure of traffic control systems, disrupted operations and more.

It is simple as it is devastating

The vulnerability can be easily exploited, and when coupled with the high sensitivity of the services running over Siemens devices, it gives the flaw a huge potential for damage. It is a remote, routable and unauthenticated vulnerability that uses legitimate functionality of the protocol. This complicates mitigation because blocking Profinet communication can cause a disruption in the operational process of machinery, signaling networks and connected devices.

The vulnerability does not require any special packet crafting techniques or sophisticated reverse engineering. In fact, even a simple attack can cause a dramatic impact on the operational process because all it takes is sending legitimate Profinet packets in the network. Worse still - because it uses a benign process, the damage can be set off even by an unsuspecting employee who misconfigures the network.

Siemens is just the tip of the iceberg

The vulnerability was not found inside the Profinet stack itself, but in the implementation of the different vendors, in this example Siemens. The problem is NOT restricted to Siemens alone and can be found in other vendors’ systems as well. The vulnerability [CVE-2019-19707] was also found in Moxa’s EDS-G508E, EDS-G512E, and EDS-G516E Series Ethernet Switches.


Siemens has developed a patch to address the vulnerability. Users are advised to follow Siemens instructions and to confirm their systems have been updated to the latest security patch.