2020-12-03 Denial of Service vulnerability in PROFINET IO Device

TitleDenial of Service vulnerability in PROFINET IO Device
ReporterInternal
Hilscher Ticket

AffectsHilscher PROFINET IO Device prior V3.14.0.7
Not affected-
ImpactDenial-Of-Service
CVSS7.5
Severity

HIGH

Last modified

 


Vulnerability Description

Short Decription

A Denial of Service vulnerability in Hilscher PROFINET IO Device V3 based solutions may lead to unexpected loss of cyclic communication or interruption of acyclic communication.

Detailed Description

When handling Read Implicit Request services, depending on the content of the request, the Hilscher PROFINET IO Device V3 protocol stack does not properly limit available resources. This may lead to shortage of resources which in the end may lead to described ímpact.

Vulnerability Severity

CVSS v3 Base Score7.5
CVSS v3 Temporal Score7.5
CVSS v3 VectorCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS v3 Link:https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Impact / Implications

The impact of the vulnerability on the affected device is that it

  • can no longer perform acyclic requests
  • may drop all established cyclic connections
  • may disappear completely from the network

Corrective Action or Resolution

Affected users should upgrade to the hotfix version  PROFINET IO-Device V3.14.0.7  or newer.

Workaround

There is no workaround. However, using cell protection mechanisms and ensuring that no untrusted entity is connected to the network may reduce the risk of occurrence.


Disclaimer

The security advisory and information contained herein, are provided on an "as is" basis and do not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. The information in this advisory should not be construed as a commitment by Hilscher. In no event shall Hilscher be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, nor shall Hilscher be liable for incidental or consequential damages arising from use of any software or hardware described in this advisory.
Hilscher provides no warranty, express or implied, for the information contained in this document, and assumes no responsibility for the information contained in this document or for any errors that may appear in this document. Your use of the advisory and information contained herein, or materials linked from the advisory, is at your own risk.  Information in this advisory and any related communications is based on our knowledge at the time of publication and is subject to change without notice. Hilscher reserves the right to change or update advisories at any time.