2020-12-03 Denial of Service vulnerability in PROFINET IO Device
Benjamin Meyer
Maher Azarkan
| Title | Denial of Service vulnerability in PROFINET IO Device |
|---|---|
| Reporter | Internal |
| Hilscher Ticket |
|
| Affects | Hilscher PROFINET IO Device prior V3.14.0.7 |
| Not affected | - |
| Impact | Denial-Of-Service |
| CVSS | 7.5 |
| Severity | HIGH |
| Last modified | Â |
Vulnerability Description
Short Decription
A Denial of Service vulnerability in Hilscher PROFINET IO Device V3 based solutions may lead to unexpected loss of cyclic communication or interruption of acyclic communication.
Detailed Description
When handling Read Implicit Request services, depending on the content of the request, the Hilscher PROFINET IO Device V3 protocol stack does not properly limit available resources. This may lead to shortage of resources which in the end may lead to described Ãmpact.
Vulnerability Severity
| CVSS v3 Base Score | 7.5 |
| CVSS v3 Temporal Score | 7.5 |
| CVSS v3 Vector | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| CVSS v3 Link: | https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Impact / Implications
The impact of the vulnerability on the affected device is that it
- can no longer perform acyclic requests
- may drop all established cyclic connections
- may disappear completely from the network
Corrective Action or Resolution
Affected users should upgrade to the hotfix version PROFINET IO-Device V3.14.0.7 or newer.
Workaround
There is no workaround. However, using cell protection mechanisms and ensuring that no untrusted entity is connected to the network may reduce the risk of occurrence.
Disclaimer
The security advisory and information contained herein, are provided on an "as is" basis and do not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. The information in this advisory should not be construed as a commitment by Hilscher. In no event shall Hilscher be liable for direct, indirect, special, incidental or consequential damages of any nature or kind arising from the use of this document, nor shall Hilscher be liable for incidental or consequential damages arising from use of any software or hardware described in this advisory.
Hilscher provides no warranty, express or implied, for the information contained in this document, and assumes no responsibility for the information contained in this document or for any errors that may appear in this document. Your use of the advisory and information contained herein, or materials linked from the advisory, is at your own risk. Information in this advisory and any related communications is based on our knowledge at the time of publication and is subject to change without notice. Hilscher reserves the right to change or update advisories at any time.