Siemens SIPROTEC Vulnerability Update

Wednesday, July 6, 2016 @ 11:07 AM gHale


Siemens has identified information disclosure vulnerabilities in SIPROTEC 4 and SIPROTEC Compact, according to an updated report with ICS-CERT.

These vulnerabilities went directly to Siemens by Aleksandr Bersenev from HackerDom team and Pavel Toporkov from Kaspersky Lab.

RELATED STORIES
Rexroth Bosch Fixes BLADEcontrol Holes
Siemens SICAM PAS Vulnerabilities
Eaton Fixes ELCSoft Vulnerabilities
Holes in Sierra Wireless Gateways

Siemens released firmware updates for EN100 Ethernet module included in SIPROTEC 4 and SIPROTEC Compact devices. Siemens also released a firmware update for SIPROTEC Compact 7SJ80 with Ethernet Service Interface on Port A. For remaining affected devices, Siemens provides recommended countermeasures in their advisory.

These vulnerabilities are remotely exploitable.

The vulnerability affects the following products:
• EN100 Ethernet module included in SIPROTEC 4 and SIPROTEC Compact: EN100 version V4.26 or lower
• SIPROTEC Compact models with Ethernet Service Interface on Port A 7SJ80: Firmware version V4.75 or lower; 7SD80, 7RW80, 7SJ81, 7SK81: All firmware versions

Exploits of these vulnerabilities could allow an attacker with network access to obtain sensitive device information.

Siemens is a multinational company headquartered in Munich, Germany.

The affected products, SIPROTEC 4 and SIPROTEC Compact devices, provide a range of integrated protection, control, measurement, and automation functions for electrical substations and other fields of application. The EN100 module sees use for enabling IEC 61850 communications with electrical/optical 100 Mbit interface for SIPROTEC 4 and SIPROTEC Compact devices. SIPROTEC devices see action across several sectors including energy. Siemens said these products see use on a global basis.

The integrated web server (Port 80/TCP) of the affected devices could allow remote attackers to obtain sensitive device information if an attacker gained network access.

CVE-2016-4784 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.

In addition, the integrated web server (Port 80/TCP) of the affected devices could allow remote attackers to obtain a limited amount of device memory content if an attacker gained network access. This vulnerability only affects EN100 Ethernet module included in SIPROTEC 4 and SIPROTEC Compact devices.

CVE-2016-4785 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.

No known public exploits specifically target these vulnerabilities. However, an attacker with a low skill and network access would be able to exploit these vulnerabilities.

Siemens provided firmware update V4.27 for EN100 module included in SIPROTEC 4 and SIPROTEC Compact to fix the vulnerability. The firmware updates can be found at the following locations on the Siemens web site:

SIPROTEC 4

SIPROTEC Compact

For SIPROTEC Compact 7SJ80 with Ethernet Service Interface on Port A, Siemens provides firmware update V4.76. Click here for the firmware update.

An attacker must have network access to the affected devices. For remaining affected products, Siemens recommends to protect network access with appropriate mechanisms (e.g., firewalls, segmentation, VPN). Users should configure the environment according to Siemens operational guidelines in order to run the devices in a protected IT environment. Siemens provides guidance for operating the devices only within trusted networks.

For more information on this vulnerability and more detailed mitigation instructions, please see Siemens Security Advisory SSA-547990.