ICSA-18-347-02 Siemens EN100 Ethernet Communication Module and SIPROTEC 5 Relays (Update A)
Monitor7.5ICS-CERT ICSA-18-347-02Jul 11, 2018
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
The EN100 Ethernet Communication Module and SIPROTEC 5 protective relays contain an improper input validation vulnerability (CWE-20) in their network protocol handlers. When an EN100 module or SIPROTEC 5 relay receives a malformed network packet on ports used for IEC 61850, PROFINET IO, Modbus TCP, DNP3 TCP, or IEC 104 protocols, it fails to validate the input correctly. This causes the affected device to crash or become unresponsive, leading to denial of service. Multiple firmware variants and relay models are affected across various protocol implementations. The vulnerability can be triggered remotely over the network without any authentication or credentials.
What this means
What could happen
An attacker on the network can send specially crafted messages to cause the EN100 Ethernet module or SIPROTEC 5 relay to crash or stop responding, interrupting relay protection and control functions for electrical substations.
Who's at risk
Operators and administrators of electrical substations and distribution systems that rely on Siemens EN100 Ethernet communication modules or SIPROTEC 5 protective relays for grid protection, monitoring, and control.
How it could be exploited
An attacker sends malformed or invalid packets to the EN100 module or SIPROTEC 5 relay's network port. The device fails to properly validate the input, processes it incorrectly, and crashes or becomes unresponsive. No authentication is required.
Prerequisites
- Network access to the EN100 Ethernet module or SIPROTEC 5 relay over TCP/IP on the protocol port (IEC 61850, PROFINET IO, Modbus TCP, DNP3 TCP, or IEC 104)
- No authentication or credentials required
Remotely exploitable over networkNo authentication requiredAffects critical protective relaysDevice restart may cause loss of relay protection coverage
Exploitability
Low exploit probability (EPSS 0.7%)
Affected products (7)
7 pending
ProductAffected VersionsFix Status
Firmware variant IEC 61850 for EN100 Ethernet module<V4.33No fix yet
Firmware variant PROFINET IO for EN100 Ethernet moduleAll versionsNo fix yet
Firmware variant Modbus TCP for EN100 Ethernet moduleAll versionsNo fix yet
Firmware variant DNP3 TCP for EN100 Ethernet moduleAll versionsNo fix yet
Firmware variant IEC104 for EN100 Ethernet module<V1.22No fix yet
SIPROTEC 5 relays with CPU variants CP300 and CP100 and the respective<V7.80No fix yet
SIPROTEC 5 relays with CPU variants CP200 and the respective Ethernet<V7.58No fix yet
Remediation & Mitigation
0/6
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
HOTFIXUpdate EN100 Ethernet module firmware variant IEC 61850 to version V4.33 or later
HOTFIXUpdate EN100 Ethernet module firmware variant IEC104 to version V1.22 or later
HOTFIXUpdate SIPROTEC 5 relays with CP300 or CP100 CPU to firmware version V7.80 or later
HOTFIXUpdate SIPROTEC 5 relays with CP200 CPU and Ethernet to firmware version V7.58 or later
Long-term hardening
0/2HARDENINGApply network segmentation to isolate EN100 and SIPROTEC 5 devices from untrusted networks; restrict inbound TCP access to only trusted engineering and SCADA systems
HARDENINGMonitor EN100 and SIPROTEC 5 device logs and status for unexpected restarts or communication failures that may indicate exploitation attempts
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/6042b598-b66a-4fe6-aa94-94e8d276dd21