CVE-2020-28400
📋 TL;DR
This vulnerability allows unauthenticated attackers to cause denial of service by flooding affected Siemens devices with DCP reset packets. The attack disrupts device functionality without requiring authentication. Siemens industrial devices running specific firmware versions are affected.
💻 Affected Systems
- Siemens SCALANCE XB-200, XC-200, XP-200, XR-300WG, XR-500 series switches
📦 What is this software?
Dk Standard Ethernet Controller Evaluation Kit Firmware by Siemens
View all CVEs affecting Dk Standard Ethernet Controller Evaluation Kit Firmware →
Ek Ertec 200 Evaulation Kit Firmware by Siemens
View all CVEs affecting Ek Ertec 200 Evaulation Kit Firmware →
Ek Ertec 200p Evaluation Kit Firmware by Siemens
View all CVEs affecting Ek Ertec 200p Evaluation Kit Firmware →
Scalance X201 3p Irt Pro Firmware by Siemens
Scalance X202 2p Irt Pro Firmware by Siemens
Scalance Xf204 2ba Irt Firmware by Siemens
Scalance Xr324 4m Poe Ts Firmware by Siemens
Simatic Ie\/pb Link V3 Firmware by Siemens
Simatic Power Line Booster Plb Firmware by Siemens
View all CVEs affecting Simatic Power Line Booster Plb Firmware →
Simatic Profinet Driver Firmware by Siemens
Simocode Prov Ethernet\/ip Firmware by Siemens
View all CVEs affecting Simocode Prov Ethernet\/ip Firmware →
Simocode Prov Profinet Firmware by Siemens
⚠️ Risk & Real-World Impact
Worst Case
Complete device unavailability leading to industrial process disruption, production downtime, and potential safety implications in critical infrastructure environments.
Likely Case
Temporary service disruption requiring device reboot, causing operational delays and potential data loss in industrial control systems.
If Mitigated
Minimal impact with proper network segmentation and rate limiting in place, potentially causing only brief service interruptions.
🎯 Exploit Status
Simple packet flooding attack requiring no authentication or special tools beyond network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: V4.1 or later
Vendor Advisory: https://cert-portal.siemens.com/productcert/html/ssa-599968.html
Restart Required: Yes
Instructions:
1. Download firmware V4.1 or later from Siemens support portal. 2. Backup device configuration. 3. Upload new firmware via web interface or CLI. 4. Reboot device. 5. Restore configuration if needed.
🔧 Temporary Workarounds
Network segmentation
allIsolate affected devices in separate VLANs with strict access controls
Rate limiting DCP traffic
allConfigure network devices to limit DCP packet rates to prevent flooding
🧯 If You Can't Patch
- Implement strict network access controls to limit who can send DCP packets to affected devices
- Deploy intrusion prevention systems to detect and block DCP packet flooding patterns
🔍 How to Verify
Check if Vulnerable:
Check device firmware version via web interface (System > Device Information) or CLI (show version)Check Version:
show version (CLI) or check System > Device Information (web)Verify Fix Applied:
Confirm firmware version is V4.1 or higher and test DCP packet handling📡 Detection & Monitoring
Log Indicators:
- High volume of DCP reset packets in network logs
- Device reboot events without clear cause
- PROFINET communication failures
Network Indicators:
- Unusual spike in DCP traffic to industrial devices
- Repeated DCP reset packets from single source
SIEM Query:
source_ip:* AND protocol:PROFINET AND packet_type:DCP AND count > 1000 per minute🔗 References
- https://cert-portal.siemens.com/productcert/html/ssa-599968.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-599968.pdf
- https://us-cert.cisa.gov/ics/advisories/icsa-21-194-03
- https://cert-portal.siemens.com/productcert/html/ssa-599968.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-599968.pdf
- https://us-cert.cisa.gov/ics/advisories/icsa-21-194-03
