Siemens released updates for some affected products and has countermeasures for others in an effort to handle an improper input validation vulnerability in its EN100 Ethernet Communication Module and SIPROTEC 5 Relays, according to a report with NCCIC.
The EN100 Ethernet communication module and SIPROTEC 5 relays are affected by a remotely exploitable vulnerability that could allow an attacker to conduct a denial-of-service attack over the network. Lars Lengersdorf from Amprion GmbH discovered the vulnerability.
The vulnerability affects the following versions of the EN100 Ethernet Communication Module and SIPROTEC 5 relays:
• Firmware variant IEC 61850 for EN100 Ethernet module: All versions prior to v4.35
• Firmware variant MODBUS TCP for EN100 Ethernet module: All versions
• Firmware variant DNP3 TCP for EN100 Ethernet module: All versions
• Firmware variant IEC104 for EN100 Ethernet module: All versions
• Firmware variant Profinet IO for EN100 Ethernet module: All versions
• SIPROTEC 5 relays with CPU variants CP300 and CP100 and the respective Ethernet communication modules: All versions prior to v7.82
• SIPROTEC 5 relays with CPU variants CP200 and the respective Ethernet communication modules: All versions prior to v7.58
In the vulnerability, specially crafted packets to Port 102/TCP could cause a denial-of-service condition in the affected products. A manual restart is required to recover the EN100 module functionality of the affected devices.
Successful exploitation requires an attacker with network access to send multiple packets to the affected products or modules. As a precondition, the IEC 61850-MMS communication needs to be activated on the affected products or modules. No user interaction or privileges are required to exploit the vulnerability. The vulnerability could allow a denial-of-service condition of the network functionality of the device, compromising the availability of the system.
CVE-2018-16563 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.
The product sees use mainly in the energy sector. It also sees action on a global basis.
No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.
Siemens released updates for some affected products. Siemens is working on updates for the remaining affected products, and recommends specific countermeasures until fixes are available.
• Firmware variant IEC 61850 for EN100 Ethernet module: Update to v4.35
• SIPROTEC 5 relays with CPU variants CP300 and CP100 and the respective Ethernet communication modules: Update to firmware version v7.82 for the device types listed in SSA-104088
• SIPROTEC 5 relays with CPU variants CP200 and the respective Ethernet communication modules: Update to firmware version v7.58 for the device types listed in SSA-104088
The firmware version for the communications modules can also be found on each device’s download page. Applying the update causes the device module to undergo a single restart cycle.
Until updates can be applied, Siemens recommends blocking access to Port 102/TCP with an external firewall.
Siemens recommends applying the provided security updates using the corresponding tooling and documented procedures made available with the product. If supported by the product, an automated means to apply the security updates across multiple product instances may be used. Siemens recommends prior validation of any security update before application, and supervision by trained staff of the update process in the target environment.
As a general security measure Siemens recommends protecting network access with appropriate mechanisms (e.g., firewalls, segmentation, VPN). Users are advised to configure the environment according to Siemens’ operational guidelines in order to run the devices in a protected IT environment.
Click here for Siemens recommended security guidelines to secure substations.
Click here for additional information on industrial security by Siemens.
For more information on this vulnerability and associated software updates, see Siemens security advisory SSA-104088.