CVE-2017-12235

What Is Cisco IOS and PROFINET?

Cisco IOS runs on Cisco Industrial Ethernet switches — hardened switches designed for factory floor and process control environments. PROFINET (Process Field Net) is a real-time industrial Ethernet standard widely used in European and global manufacturing for automation systems, PLCs, and robotics. PROFINET Discovery and Configuration Protocol (PN-DCP) is used for device discovery and configuration in PROFINET networks. Cisco Industrial Ethernet switches support PROFINET/PN-DCP to interoperate with PROFINET-connected automation equipment. Vulnerabilities in this implementation are directly relevant to manufacturing and process control environments where Cisco Industrial Ethernet switches manage factory floor communications.

Overview

CVE-2017-12235 is a denial-of-service vulnerability in the PROFINET Discovery and Configuration Protocol (PN-DCP) implementation in Cisco IOS for Industrial Ethernet switches. An unauthenticated remote attacker can send specially crafted PN-DCP packets to cause an affected switch to reload, disrupting all PROFINET and Ethernet communications on the industrial network segment. Patched in the Cisco September 2017 advisory bundle. The impact on factory floor and process control environments makes this vulnerability particularly significant in OT contexts. CISA added CVE-2017-12235 to the KEV catalog in March 2022.

Affected Versions

Cisco Industrial Ethernet switches (IE 2000, IE 3000, IE 4000, IE 5000 series and similar) running affected Cisco IOS versions with PROFINET enabled. Use cisco-sa-20170929-profinet and the Cisco IOS Software Checker for specific version identification.

Technical Details

Root Cause: PROFINET PN-DCP Input Validation Flaw

CVE-2017-12235 is an improper input validation vulnerability (CWE-20) in the Cisco IOS PROFINET PN-DCP parser. When the affected switch receives a malformed PN-DCP packet, the improper validation allows the packet to trigger a device reload. PN-DCP operates at Layer 2 (Ethernet), though the CVSS AV:N rating reflects that the vulnerability may be exploitable via Layer 3 in certain PROFINET routing configurations.

Manufacturing impact:

• Switch reload causes all PROFINET device communications to drop momentarily
• PLC-to-drive, PLC-to-robot, and PLC-to-HMI communications are disrupted
• Safety systems may trip on loss of communication with process controllers
• Production line stoppage can result in significant financial and operational impact

Attack Characteristics

Exploitation Context

• ICS/OT targeting by nation-states: The KEV addition reflects CISA's concern about nation-state actors (particularly Russian state-sponsored groups like Dragonfly) targeting industrial control system infrastructure; PROFINET-specific vulnerabilities are particularly relevant for manufacturing and process control environments that are priority targets for destructive attacks
• Wiperware and disruptive attack precursors: DoS vulnerabilities in industrial network equipment can serve as precursors or components of disruptive attacks — rebooting a factory floor switch while executing additional payloads on OT systems amplifies the impact of industrial sabotage campaigns

Remediation

1. Apply Cisco IOS security update — upgrade affected Cisco Industrial Ethernet switches to IOS versions identified in cisco-sa-20170929-profinet.

2. Disable PROFINET if not required — if the industrial Ethernet switch does not need PROFINET support, disable the PN-DCP feature.

3. Segment industrial networks — implement strict network boundaries between IT and OT zones; restrict which systems can send PROFINET traffic to industrial switches.

4. Apply Layer 2 port security — configure MAC address filtering and 802.1X authentication on factory floor switch ports to restrict which devices can send PN-DCP traffic.