SIPROTEC 4, SIPROTEC Compact Fix Updated

Monday, July 31, 2017 @ 11:07 AM gHale


Siemens released an update to its SIPROTEC 4 and SIPROTEC Compact fixes to mitigate multiple vulnerabilities, according to a report with ICS-CERT.

The remotely exploitable vulnerabilities, which Siemens self-reported, are an improper input validation, missing authorization and improper authentication.

RELATED STORIES
NXP Mititgages i.MX Issues
Schneider Updates PowerSCADA Anywhere, Citect Anywhere
Rockwell Fixes MicroLogix Controller
GE Releases New Version of Communicator

Siemens said the vulnerabilities affect the following SIPROTEC 4 and SIPROTEC Compact protection, control, measurement, and automation devices:
• Firmware variants for EN100 Ethernet modules as optional for SIPROTEC 4 and SIPROTEC Compact:
Firmware variant PROFINET IO: All versions prior to V1.04.01
Firmware variant Modbus TCP: All versions prior to  V1.10.01
Firmware variant DNP3 TCP: All versions prior to V1.03
Firmware variant IEC 104: All versions prior to V1.21
• EN100 Ethernet module included in SIPROTEC Merging Unit 6MU80: All firmware versions prior to V1.02.02
• SIPROTEC 7SJ66: All versions prior to V4.23
• SIPROTEC 7SJ686: All versions prior to V4.86
• SIPROTEC 7UT686: All versions prior to V4.01
• SIPROTEC 7SD686: All versions prior to V4.04

Successful exploitation of these vulnerabilities could cause a denial-of-service condition, allow an attacker access to sensitive information, or allow an attacker to perform administrative functions.

No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerability.

In one of the vulnerabilities, specially crafted packets sent to Port 50000/UDP could cause a denial of service of the affected device. A manual reboot may be required to recover the service of the device.

CVE-2015-5374 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.6.

In another vulnerability, the integrated web server (Port 80/TCP) of the affected devices could allow remote attackers to obtain sensitive device information if network access was obtained.

CVE-2016-4784 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.

Also, the integrated web server (Port 80/TCP) of the affected devices could allow remote attackers to obtain a limited amount of device memory content if network access was obtained.’
CVE-2016-4785 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.

In addition, attackers with network access to the device’s web interface (Port 80/TCP) could circumvent authentication and perform certain administrative operations.

CVE-2016-7112 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.

There is also an improper input validation issue where specially crafted packets sent to Port 80/TCP could cause the affected device to go into defect mode.

CVE-2016-7113 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.

In addition, attackers with network access to the device’s web interface (Port 80/TCP) could circumvent authentication and perform certain administrative operations. A legitimate user must be logged into the web interface for the attack to be successful.

CVE-2016-7114 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.3.

The products see action mainly in the energy sector on a global basis.

Siemens provided updates for the following affected products and recommends users update to the latest version:
• Firmware variants for EN100 Ethernet modules as optional for SIPROTEC 4 and SIPROTEC Compact:
Firmware variant PROFINET IO: Update to V1.04.01

Firmware variant Modbus TCP: Update to V1.10.01
Firmware variant DNP3 TCP: Update to V1.03
Firmware variant IEC 104: Update to V1.21
• EN100 Ethernet module included in SIPROTEC Merging Unit 6MU80: Update to firmware V1.02.02 by contacting the Siemens energy hotline
• SIPROTEC 7SJ66: Update to firmware V4.23
• SIPROTEC 7SJ686: Update to firmware V4.86
• SIPROTEC 7UT686: Update to firmware V4.01
• SIPROTEC 7SD686: Update to firmware V4.04

Siemens is preparing updates for the remaining affected products and recommends the following mitigations in the meantime:
• Apply secure substation concepts and defense-in-depth measures.
• Please see the specific product manual for more information. Manuals can be obtained from the downloads menu at this Siemens web site.
http://www.siemens.com/gridsecurity
• Restrict network access to Port 80/TCP and Port 50000/UDP

Siemens recommends users protect network access with appropriate mechanisms such as firewalls, segmentation, and VPNs. Siemens also advises that users configure the operational environment according to Siemens’ Operational Guidelines for Industrial Security.

For more information on this vulnerability and more detailed mitigation instructions, please see Siemens Security Advisory SSA-323211.



Leave a Reply

You must be logged in to post a comment.