Siemens SICAM RTU Devices Denial-of-Service Vulnerability
Monitor7.5ICS-CERT ICSA-16-299-01Jul 29, 2016
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Siemens SICAM RTU devices with SM-2558 extension ETA4 firmware (Revision_08 and earlier) and SM-2556 extension ETA2 firmware (Revision_11.01 and earlier) are vulnerable to denial-of-service attacks. An attacker can send a specially crafted network packet that causes the device to crash and become unresponsive. The vulnerability stems from insufficient input validation (CWE-400: Uncontrolled Resource Consumption). Affected products include SICAM AK SM-2558, SICAM TM 1703 SM-2558, SICAM BC 1703 SM-2558, SICAM AK 3 SM-2558, SICAM AK SM-2556, SICAM TM SM-2556, and SICAM BC SM-2556.
What this means
What could happen
An attacker who can reach the device network can send specially crafted packets that crash the SICAM RTU, causing it to stop responding and interrupting remote terminal unit operations that rely on it for telemetry and control.
Who's at risk
Water and electric utilities that operate Siemens SICAM Remote Terminal Units for substation telemetry, protection, and control. This affects both AK (Automation/Gateway) and BC (Bay Controller) variants used in substations to monitor voltages, currents, and trip power equipment.
How it could be exploited
An attacker on the network sends a malformed network packet to the vulnerable SICAM RTU device. The device fails to validate the packet and crashes, becoming unavailable until manually rebooted. No authentication is required.
Prerequisites
- Network access to the SICAM RTU device on the same network segment or across routed networks
- The vulnerable firmware versions must be running (Revision_08 or earlier for ETA4 modules; Revision_11.01 or earlier for ETA2 modules)
remotely exploitableno authentication requiredlow complexityno patch availabledenial of service impact on critical telemetry
Exploitability
Low exploit probability (EPSS 0.8%)
Affected products (7)
7 EOL
ProductAffected VersionsFix Status
SICAM AK SM-2558 extension ETA4 firmware: <Revision_08<Revision 08No fix (EOL)
SICAM TM 1703 SM-2558 extension ETA4 firmware: <Revision_08<Revision 08No fix (EOL)
SICAM BC 1703 SM-2558 extension ETA4 firmware: <Revision_08<Revision 08No fix (EOL)
SICAM AK 3 SM-2558 extension ETA4 firmware: <Revision_08<Revision 08No fix (EOL)
SICAM AK SM-2556 extension ETA2 firmware: <=Revision_11.01≤ Revision 11.01No fix (EOL)
SICAM TM SM-2556 extension ETA2 firmware: <=Revision_11.01≤ Revision 11.01No fix (EOL)
SICAM BC SM-2556 extension ETA2 firmware: <=Revision_11.01≤ Revision 11.01No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2HARDENINGIsolate or air-gap SICAM RTU devices from untrusted networks; restrict network access to the RTU to only authorized engineering stations and SCADA hosts using firewall rules
WORKAROUNDDisable or restrict remote management and telemetry access to SICAM RTU devices if not actively required for operations
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXReview Siemens security advisories for firmware updates; contact Siemens support to determine if patched firmware versions are available for your specific devices
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: SICAM AK SM-2558 extension ETA4 firmware: <Revision_08, SICAM TM 1703 SM-2558 extension ETA4 firmware: <Revision_08, SICAM BC 1703 SM-2558 extension ETA4 firmware: <Revision_08, SICAM AK 3 SM-2558 extension ETA4 firmware: <Revision_08, SICAM AK SM-2556 extension ETA2 firmware: <=Revision_11.01, SICAM TM SM-2556 extension ETA2 firmware: <=Revision_11.01, SICAM BC SM-2556 extension ETA2 firmware: <=Revision_11.01. Apply the following compensating controls:
HARDENINGImplement network segmentation so that SICAM RTU devices are in a separate network zone with strict ingress/egress rules; monitor for unexpected traffic to these devices
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/2c429f52-ffa7-4e38-ae30-303dadac0db3