SSB-201698

Siemens Security Bulletin by Siemens ProductCERT

SSB-201698: Risk for Denial of Service attack through Discovery and Basic Configuration Protocol (DCP) communication functionality

Publication Date:	2024-03-26
Last Update:	2024-03-26
Current Version:	V1.0

SUMMARY

The Discovery and Basic Configuration Protocol (DCP) is a protocol which is widely used in the industrial context. In the specification of the protocol several functions are described which are intended to be used for special operational cases like initial setup or reset of a component. As DCP was not designed as a security protocol, it could be abused by an attacker to affect the availability of affected products. The protocol is also used in PROFINET communication in case no security class configuration is used.

This bulletin describes the same behavior that is described in the PROFINET Security Advisory PISA-001 by the PI Organization.

DETAILS and ANALYSIS

Affected products are all PROFINET products, that do not comply to the PROFINET Security Class 1 and products that can be operated in a PROFINET network, or supporting configuration using DCP.

When DCP is activated, attackers could configure the connected components according to the specification. However, attacks are only possible from the local network as DCP is a layer 2 protocol and therefore not routable. An attacker could perform the following actions:

Change the IP/DHCP/Name configuration: 'DCP Set (IP)' / 'DCP-Set (NameOfStation)'
Reset the device in full operation: 'DCP-Set (Reset-to-Factory)'

A successful attack could thus create a denial of service condition by changing the parameters of a component.

MITIGATIONS

Siemens recommends customers to implement the following mitigations where applicable:

Use PROFINET Security class 1 or higher
Use DCP in read-only mode or disable the usage of DCP according to their environment and use cases
Operate the component in a state where DCP is disabled automatically

Where it is not possible to deactivate the usage of DCP ensure a strict access policy to your network.

Details how to disable the protocol or configure PROFINET Security class could be found in the dedicated manual of your components.

GENERAL SECURITY RECOMMENDATIONS

As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity

HISTORY DATA

V1.0 (2024-03-26):

Publication Date

Siemens Security Bulletins are subject to the terms and conditions contained in Siemens’ underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter "License Terms"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Bulletin, the Terms of Use of Siemens’ Global Website (https://www.siemens.com/ terms_of_use, hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use.