Siemens SIPROTEC Information Disclosure Vulnerabilities (Update B)
Monitor5.3ICS-CERT ICSA-16-140-02Feb 20, 2016
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
SIPROTEC protective relay Ethernet modules and devices contain information disclosure vulnerabilities in their Ethernet service interfaces. Affected devices include EN100 modules in SIPROTEC 4 and Compact, and SIPROTEC Compact models 7SJ80, 7RW80, 7SJ81, and 7SK81 with Ethernet Service Interface on Port A. An attacker with network access to these devices can read sensitive configuration information without authentication. Siemens has released firmware updates V4.27 for EN100 modules and V4.76 for 7SJ80, but has not released updates for the 7RW80, 7SJ81, and 7SK81 models.
What this means
What could happen
An attacker with network access to affected SIPROTEC devices could read sensitive configuration or system information without authentication, potentially exposing protective relay settings, IP addresses, or other operational details that could inform further attacks.
Who's at risk
This affects electrical utilities and any facility operating SIPROTEC protective relays for power system protection. The EN100 Ethernet modules are used in SIPROTEC 4 and Compact models to add network connectivity to protective relays (7SJ80, 7RW80, 7SJ81, 7SK81). These relays protect transformers, feeders, and generators from faults.
How it could be exploited
An attacker on the network sends requests to the Ethernet interface of an affected SIPROTEC device (port 502 or the management Ethernet port). The device responds with sensitive information without requiring authentication due to the information disclosure vulnerability. The attacker collects configuration details or system state information.
Prerequisites
- Network access to the affected device's Ethernet interface
- No authentication credentials required
remotely exploitableno authentication requiredlow complexityno patch available for multiple product variants
Exploitability
Moderate exploit probability (EPSS 2.4%)
Affected products (6)
3 with fix1 pending2 EOL
ProductAffected VersionsFix Status
SIPROTEC Compact models 7RW80 with Ethernet Service Interface on Port A: vers:all/*All versionsNo fix yet
EN100 Ethernet module included in SIPROTEC 4: <=V4.26≤ V4.26V4.27
EN100 Ethernet module included in SIPROTEC Compact: <=V4.26≤ V4.26V4.27
SIPROTEC Compact model 7SJ80 with Ethernet Service Interface on Port A Firmware: <=V4.75≤ V4.75V4.76
SIPROTEC Compact models 7SJ81 with Ethernet Service Interface on Port A: vers:all/*All versionsNo fix (EOL)
SIPROTEC Compact models 7SK81 with Ethernet Service Interface on Port A: vers:all/*All versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/1WORKAROUNDImplement network firewall rules to restrict access to SIPROTEC device Ethernet interfaces from untrusted networks
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXUpdate EN100 Ethernet module firmware to V4.27 or later for SIPROTEC 4 and SIPROTEC Compact devices
HOTFIXUpdate SIPROTEC Compact 7SJ80 with Ethernet Service Interface firmware to V4.76 or later
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: SIPROTEC Compact models 7SJ81 with Ethernet Service Interface on Port A: vers:all/*, SIPROTEC Compact models 7SK81 with Ethernet Service Interface on Port A: vers:all/*. Apply the following compensating controls:
HARDENINGIsolate SIPROTEC device networks from the business network using network segmentation
HARDENINGIf remote access is required, use VPN with current security patches to access SIPROTEC devices
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/5589bcc2-344c-460f-96d6-9c3fbe7b26cb