Siemens SICAM

Act Now9.8ICS-CERT ICSA-17-320-02Nov 16, 2017

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple critical vulnerabilities in Siemens SICAM RTU SM-2556 COM Modules with firmware variants ENOS00, ERAC00, ETA2, ETLS00, MODi00, and DNPi00 allow remote code execution without authentication. The vulnerabilities stem from CWE-306 (missing authentication), CWE-79 (cross-site scripting), and CWE-94 (improper control of generation of code). The web server interface built into these modules is exploitable remotely with low skill level, and public exploits are available. The affected firmware versions have reached end-of-life and no patches will be released for these versions.

What this means

What could happen

An attacker with network access to the web server on affected SICAM RTU modules could gain full control of the device, allowing them to alter relay configuration, trip breakers, or disrupt substation automation functions that monitor and protect the power grid.

Who's at risk

Electrical utilities and substations using Siemens SICAM RTU SM-2556 COM Modules with ENOS00, ERAC00, ETA2, ETLS00, MODi00, or DNPi00 firmware variants. This includes organizations relying on IEC 60870-5-104, Modbus/TCP, or DNP3 communication for substation automation and protection systems.

How it could be exploited

An attacker sends specially crafted requests over the network to the web server running on the SM-2556 COM Module. The vulnerability allows arbitrary code execution without authentication, giving the attacker ability to execute commands on the RTU that controls substation equipment like circuit breakers and relays.

Prerequisites

Network reachability to the web server port on the SM-2556 COM Module
No authentication or credentials required

remotely exploitableno authentication requiredlow complexitypublic exploits availableno patch availableaffects critical infrastructure safety/control systems

Exploitability

Moderate exploit probability (EPSS 3.1%)

Affected products (1)

ProductAffected VersionsFix Status

SICAM RTUs SM-2556 COM Modules with the firmware variants ENOS00 ERAC00 ETA2 ETLS00 MODi00 DNPi00: All versionsAll versionsNo fix yet

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDDisable the web server on SM-2556 COM Modules after commissioning is complete, as it is not required for normal operation

HARDENINGRestrict network access to SM-2556 COM Module web server using firewall rules and network segmentation

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXFor users running discontinued ETA2, MODi00, or DNPi00 firmware, upgrade to successor firmware (ETA4, MBSiA0, or DNPiA1 respectively) on the SM-2558 COM Module

Long-term hardening

0/1

HARDENINGImplement Siemens Operational Guidelines for Industrial Security to protect the operational environment

CVEs (3)

CVE-2017-12737 CVE-2017-12738 CVE-2017-12739

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ee26d40e-73ac-4673-a8ac-b0efae76e93a