Your one-stop web resource providing safety and security information to manufacturers

Siemens has updates for multiple vulnerabilities involved in the embedded VxWorks in its SIPROTEC 5 Ethernet plug-in communication modules and devices, according to a report from Siemens ProductCERT.

The SIPROTEC 5 Ethernet plug-in communication modules and devices are affected by multiple security vulnerabilities. These vulnerabilities could allow an attacker to execute arbitrary code. SIPROTEC 5 devices provide a range of integrated protection, control, measurement, and automation functions for electrical substations and other fields of application.

Eleven of these vulnerabilities affect the underlying Wind River VxWorks network stack just patched by Wind River. One further vulnerability affects the boot process of the device under certain conditions.

Siemens released updates for all vulnerabilities in some products, is working on updates for the remaining affected products, and recommends specific countermeasures until fixes are available.

Cyber Security

In one vulnerability, by sending specially crafted TCP packets with a manipulated TCP Urgent Pointer to a device, an attacker could potentially execute arbitrary code. Network access, but no authentication and no user interaction is needed to conduct this attack.

The issue has a case number of CVE-2019-12255 and it is assigned a CVSS v3.0 base score of 9.8.

In addition, by sending IPv4 packets with specially crafted IP options to a device, an attacker could potentially execute arbitrary code. Network access, but no authentication and no user interaction is needed to conduct this attack.

The issue has a case number of CVE-2019-12256 and it is assigned a CVSS v3.0 base score of 9.8.

Also, by sending specially crafted DHCP packets to a device, an attacker could potentially execute arbitrary code. Adjacent network access, but no authentication and no user interaction is needed to conduct this attack.

The issue has a case number of CVE-2019-12257 and it is assigned a CVSS v3.0 base score of 8.8.

More Vulnerabilities
In addition, by sending TCP packets with specially crafted TCP options to a device, an attacker could potentially trigger a Denial-of-Service (DoS) condition. Network access, but no authentication and no user interaction is needed to conduct this attack.

The issue has a case number of CVE-2019-12258 and it is assigned a CVSS v3.0 base score of 7.5.

In another issue, by sending specially crafted IGMP packets to a device, an attacker could potentially trigger a Denial-of-Service (DoS) condition. Network access, but no authentication and no user interaction is needed to conduct this attack.

The issue has a case number of CVE-2019-12259 and it is assigned a CVSS v3.0 base score of 7.5.

Also, by sending specially crafted TCP packets with a manipulated TCP Urgent Pointer to a device, an attacker could potentially execute arbitrary code. Network access, but no authentication and no user interaction is needed to conduct this attack.

The issue has a case number of CVE-2019-12260 and it is assigned a CVSS v3.0 base score of 9.8.

In addition, while connecting to a remote host, specially crafted TCP packets with a manipulated TCP Urgent Pointer could potentially cause the execution of arbitrary code on the device. It is required that the affected device connects to a malicious system to conduct this attack.

The issue has a case number of CVE-2019-12261 and it is assigned a CVSS v3.0 base score of 8.8.

Also, by sending unsolicited reverse ARP packets to a device, an attacker may be able to affect availability and integrity of the device. Adjacent network access, but no authentication and no user interaction is needed to conduct this attack.

The issue has a case number of CVE-2019-12262 and it is assigned a CVSS v3.0 base score of 7.1.

In another issue, by sending specially crafted TCP packets with a manipulated TCP Urgent Pointer to a device, an attacker could potentially trigger a race condition and potentially execute arbitrary code. Network access, but no authentication and no user interaction is needed to conduct this attack.

The issue has a case number of CVE-2019-12263 and it is assigned a CVSS v3.0 base score of 8.1.

In addition, by sending specially crafted DHCP packets to a device, an attacker may be able to affect availability and integrity of the device. Adjacent network access, but no authentication and no user interaction is needed to conduct this attack.

The issue has a case number of CVE-2019-12264 and it is assigned a CVSS v3.0 base score of 7.1.

Also, by sending specially crafted IGMPv3 packets to a device, an attacker may be able to obtain a limited amount of data from the device. Network access, but no authentication and no user interaction is needed to conduct this attack.

The issue has a case number of CVE-2019-12265 and it is assigned a CVSS v3.0 base score of 5.3.

In addition, an unauthenticated attacker with network access to the device could potentially insert arbitrary code which is executed before firmware verification in the device.

The issue has a case number of CVE-2019-10938 and it has a CVSS v3.0 base score of 9.8.

Fixes to Products
No public exploitation of these security vulnerabilities are ongoing, Siemens said. The following are affected products and the corresponding solutions:

• Ethernet plug-in communication modules for SIPROTEC 5 devices with CPU variants CP300 and CP100, affecting all versions below V7.91. CVE-2019-12255 and CVE-2019-12265 apply to this vulnerability. Users should update to communication protocols firmware version V7.91. Applying the update causes the device/module to go through a single restart cycle.

• Ethernet plug-in communication modules for SIPROTEC 5 devices with CPU variants CP200, all versions affected. For a remediation, go to recommendations from workaround and mitigations.

• SIPROTEC 5 devices with CPU variants CP300, all versions affected. For SIPROTEC 5 devices with CPU variants CP200, all versions affected. For a remediation, go to recommendations from workaround and mitigations.

Workarounds
Siemens identified the following specific workarounds and mitigations customers can apply to reduce the risk:

Use a firewall to block traffic with “TCP Urgent Pointer” set to mitigate CVE-2019-12255, CVE-2019-12260, CVE-2019-12261, and CVE-2019-12263. Click here for more information.

Use a firewall to block traffic with IP-options SSRR (Strict Source and Record Route) or LSRR (Loose Source and Record Route) to mitigate CVE-2019-12256. Click here for more information.

Use a firewall to block traffic with destination port 443/TCP or activate the role-based access control feature or the connection password feature in the device to mitigate CVE-2019-10938.

To resolve CVE-2019-10938 for SIPROTEC 5 CP300 and CP100 CPU variant update to firmware version V7.90 and update DIGSI 5 to V7.90 and activate the client authorization feature. Applying the update causes the device or module to go through a single restart cycle.

Operators of critical power systems worldwide are usually required by regulations to build resilience into the power grids by applying multi-level redundant secondary protection schemes. It is therefore recommended the operators check whether appropriate resilient protection measures are in place. The risk of cyber incidents impacting the grid’s reliability can thus be minimized by virtue of the grid design.

Siemens recommends applying the provided security updates using the corresponding tooling and documented procedures made available with the product. If supported by the product, an automated means to apply the security updates across multiple product instances may be used.
Siemens recommends prior validation of any security update before being applied.

Click here for recommended security guidelines to Secure Substations.

For further inquiries on security vulnerabilities in Siemens products and solutions, click on Siemens ProductCERT.

Pin It on Pinterest

Share This