Siemens Clearing DoS Holes

Wednesday, July 11, 2018 @ 02:07 PM gHale

Siemens has mitigations, fixes and workarounds to handle vulnerabilities in its EN100 Ethernet communication module and SIPROTEC 5 relays, according to a report from the Siemens Product CERT.

The EN100 Ethernet communication module and SIPROTEC 5 relays are affected by security vulnerabilities that could allow an attacker to conduct a denial-of-service attack over the network.

RELATED STORIES
Universal Robots Remediates Holes
Schweitzer Fixes Multiple Holes
Rockwell Working on Stratix 5950 Fix
Mitigations for Siemens Industrial Plant Clocks

Siemens released updates for several affected products, is working on updates for the remaining affected products, and recommends specific countermeasures until fixes are available.

The vulnerabilities ended up discovered by Victor Nikitin, Vladislav Suchkov, and Ilya Karpov from ScadaX.

The EN100 Ethernet modules are used for enabling process communication on either IEC 61850, PROFINET IO, Modbus TCP, DNP3 TCP or IEC 104 protocols via electrical/optical 100 Mbit interfaces on SIPROTEC 4, SIPROTEC Compact and Reyrolle devices.

SIPROTEC 5 devices provide a range of integrated protection, control, measurement, and automation functions for electrical substations and other fields of application.

In one vulnerability, specially crafted packets to port 102/tcp could cause a denial-of-service condition in the affected products. A manual restart would then be required to recover the EN100 module functionality of SIPROTEC 4 and SIPROTEC Compact relays.

Successful exploitation requires an attacker with network access to send multiple packets to the affected products or modules. As a precondition, the IEC 61850-MMS communication needs to be activated on the affected products or modules. No user interaction or privileges are required to exploit the vulnerability. The vulnerability could allow causing a denial-of-service condition of the network functionality of the device, compromising the availability of the system.

The vulnerability has a case number of CVE-2018-11451 and has a CVSS base score of 7.5

In another issue, specially crafted packets to port 102/tcp could cause a denial-of-service condition in the EN100 communication module if oscillographs are running. A manual restart is required to recover the EN100 module functionality.

Successful exploitation requires an attacker with network access to send multiple packets to the EN100 module. As a precondition the IEC 61850-MMS communication needs to be activated on the affected EN100 modules. No user interaction or privileges are required to exploit the vulnerability. The vulnerability could allow causing a denial-of-service condition of the network functionality of the device, compromising the availability of the system.

The vulnerability has a case number of CVE-2018-11452 and it has a CVSS base score of 5.9.

Siemens is not aware of any exploits leveraging either vulnerability.

Siemens has identified the following specific workarounds and mitigations users can apply:
• Block access to port 102/tcp e.g. with an external firewall.

As a general security measure Siemens recommends to protect network access with appropriate mechanisms like firewalls, segmentation, and a VPN. It is advised to configure the environment according to operational guidelines in order to run the devices in a protected IT environment.

Click here for recommended security guidelines to secure substations.

Fixes and mitigations are in place for the following:
• Firmware variant IEC 61850 for EN100 Ethernet module: All versions before V4.33: Update to V4.33
• All versions of firmware variant PROFINET IO for EN100 Ether- net module: See recommendations from section Workarounds and Mitigations
• All versions of firmware variant Modbus TCP for EN100 Ether- net module: See recommendations from section Workarounds and Mitigations
• All versions of firmware variant DNP3 TCP for EN100 Ethernet module: See recommendations from section Workarounds and Mitigations
• All versions of firmware variant IEC104 for EN100 Ethernet module: See recommendations from section Workarounds and Mitigations
• SIPROTEC 5 relays with CPU variants CP300 and CP100 and the respective Ethernet commu- nication modules: All versions before V7.80, only affected by CVE-2018-11451: Update to firmware version V7.80 for the following device types: 6MD85, 6MD86, 7SS85, 7KE85, 7UM85, 7SA87, 7SD87, 7SL87, 7VK87, 7SA82, 7SA86, 7SD82, 7SD86, 7SL82, 7SL86, 7SJ86, 7SK82, 7SK85, 7SJ82, 7SJ85, 7UT82, 7UT85, 7UT86, and 7UT87. Search for “SIPROTEC 5 DIGSI Device Drivers V7.8x”. The firmware version V7.80 for the communications modules can also be found on each device specific download page: See under “Additional DIGSI Device Driver>Protocols”.
• All versions of SIPROTEC 5 relays with CPU variants CP200 and the respective Ethernet communication modules only affected by CVE-2018-11451: See recommendations from section Workarounds and Mitigations



Leave a Reply

You must be logged in to post a comment.