ICSA-17-187-03F Siemens SIPROTEC 4 and SIPROTEC Compact (Update F)

Act NowCVSS 8.6ICS-CERT ICSA-17-187-03FJul 4, 2017

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple input validation and authentication bypass vulnerabilities in Siemens SIPROTEC 4 and SIPROTEC Compact protection relays and merging units allow an unauthenticated attacker to disrupt device operation via crafted network packets. Affected devices include EN100 Ethernet modules (PROFINET IO, Modbus TCP, DNP3 TCP, IEC 104 variants), SIPROTEC Merging Unit 6MU80, and several relay models (7SJ686, 7UT686, 7SD686, 7SJ66). Input validation defects (CWE-20) combined with missing or incorrect authorization checks (CWE-862, CWE-287) allow bypass of access controls without valid credentials.

What this means

What could happen

An attacker could send specially crafted network packets to disable or disrupt protection relays and merging units, causing loss of electrical protection for power systems. This could result in uncontrolled fault conditions, equipment damage, or loss of grid stability.

Who's at risk

This advisory affects power system protection relays and merging units deployed in electrical substations and distribution networks. Specifically: utilities operating Siemens SIPROTEC 4 and SIPROTEC Compact protection relays (7SJ686, 7UT686, 7SD686, 7SJ66 models), merging units (6MU80), and any system with EN100 Ethernet communication modules. Primary concern is for relay engineers and OT teams managing electrical protection systems at substations or control centers.

How it could be exploited

An attacker with network access to the Ethernet port of a SIPROTEC device can send malformed input (improper validation in CWE-20) that bypasses authentication or authorization controls (CWE-862, CWE-287). The attacker does not need credentials; a crafted packet to the device's protocol stack (PROFINET, Modbus TCP, DNP3, or IEC 104) will cause a denial of service or permit unauthorized changes to protection logic.

Prerequisites

Network access to the Ethernet port of the SIPROTEC device
No credentials required
Ability to send raw packets on the device's industrial protocol (PROFINET, Modbus TCP, DNP3, or IEC 104)

Remotely exploitableNo authentication requiredLow complexity attackHigh EPSS score (84.7%)No patch available for several key devices (7SJ686, 7UT686, 7SD686, 7SJ66, 6MU80)Affects electrical protection and safety-critical systems

Exploitability

Likely to be exploited — EPSS score 83.9%

Metasploit module available — weaponized exploitView module ↗

Public Proof-of-Concept (PoC) on GitHub (1 repository)

Affected products (13)

4 with fix9 EOL

ProductAffected VersionsFix Status

Firmware variant PROFINET IO for EN100 Ethernet module<V1.04.011.04.01

Firmware variant Modbus TCP for EN100 Ethernet module<V1.11.001.11.00

Firmware variant DNP3 TCP for EN100 Ethernet module<V1.031.03

Firmware variant IEC 104 for EN100 Ethernet module<V1.211.21

SIPROTEC 7SJ686<V 4.83No fix (EOL)

SIPROTEC 7UT686<V 4.01No fix (EOL)

SIPROTEC 7SD686<V 4.03No fix (EOL)

SIPROTEC 7SD686<V 4.05No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDDisable unused industrial protocols (Modbus TCP, DNP3, IEC 104) on EN100 modules if not required for your plant automation

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate EN100 Ethernet module firmware: PROFINET IO variant to 1.04.01, Modbus TCP variant to 1.11.00, DNP3 TCP variant to 1.03, or IEC 104 variant to 1.21

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: SIPROTEC 7SJ686, SIPROTEC 7UT686, SIPROTEC 7SD686, SIPROTEC 7SD686, SIPROTEC 7SJ66, SIPROTEC 7SJ66, EN100 Ethernet module included in SIPROTEC Merging Unit 6MU80, SIPROTEC 7SJ686, SIPROTEC 7UT686. Apply the following compensating controls:

HARDENINGFor SIPROTEC 7SJ66 devices without vendor patches available, implement network segmentation and firewall rules to restrict access to the device's Ethernet port to only authorized engineering workstations and control systems

HARDENINGMonitor network access to SIPROTEC devices for suspicious or unexpected protocol traffic

CVEs (6)

CVE-2015-5374 CVE-2016-4784 CVE-2016-4785 CVE-2016-7112 CVE-2016-7113 CVE-2016-7114

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/96e57383-0f8a-4325-aa96-613ce2f86557

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.