ICSA-18-347-02 Siemens EN100 Ethernet Communication Module and SIPROTEC 5 Relays (Update A)

MonitorCVSS 7.5ICS-CERT ICSA-18-347-02Jul 11, 2018

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The EN100 Ethernet Communication Module and SIPROTEC 5 protective relays contain an improper input validation vulnerability (CWE-20) in their network protocol handlers. When an EN100 module or SIPROTEC 5 relay receives a malformed network packet on ports used for IEC 61850, PROFINET IO, Modbus TCP, DNP3 TCP, or IEC 104 protocols, it fails to validate the input correctly. This causes the affected device to crash or become unresponsive, leading to denial of service. Multiple firmware variants and relay models are affected across various protocol implementations. The vulnerability can be triggered remotely over the network without any authentication or credentials.

What this means

What could happen

An attacker on the network can send specially crafted messages to cause the EN100 Ethernet module or SIPROTEC 5 relay to crash or stop responding, interrupting relay protection and control functions for electrical substations.

Who's at risk

Operators and administrators of electrical substations and distribution systems that rely on Siemens EN100 Ethernet communication modules or SIPROTEC 5 protective relays for grid protection, monitoring, and control.

How it could be exploited

An attacker sends malformed or invalid packets to the EN100 module or SIPROTEC 5 relay's network port. The device fails to properly validate the input, processes it incorrectly, and crashes or becomes unresponsive. No authentication is required.

Prerequisites

Network access to the EN100 Ethernet module or SIPROTEC 5 relay over TCP/IP on the protocol port (IEC 61850, PROFINET IO, Modbus TCP, DNP3 TCP, or IEC 104)
No authentication or credentials required

Remotely exploitable over networkNo authentication requiredAffects critical protective relaysDevice restart may cause loss of relay protection coverage

Exploitability

Unlikely to be exploited — EPSS score 0.7%

Affected products (7)

7 pending

ProductAffected VersionsFix Status

Firmware variant IEC 61850 for EN100 Ethernet module<V4.33No fix yet

Firmware variant PROFINET IO for EN100 Ethernet moduleAll versionsNo fix yet

Firmware variant Modbus TCP for EN100 Ethernet moduleAll versionsNo fix yet

Firmware variant DNP3 TCP for EN100 Ethernet moduleAll versionsNo fix yet

Firmware variant IEC104 for EN100 Ethernet module<V1.22No fix yet

SIPROTEC 5 relays with CPU variants CP300 and CP100 and the respective<V7.80No fix yet

SIPROTEC 5 relays with CPU variants CP200 and the respective Ethernet<V7.58No fix yet

Remediation & Mitigation

0/6

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

HOTFIXUpdate EN100 Ethernet module firmware variant IEC 61850 to version V4.33 or later

HOTFIXUpdate EN100 Ethernet module firmware variant IEC104 to version V1.22 or later

HOTFIXUpdate SIPROTEC 5 relays with CP300 or CP100 CPU to firmware version V7.80 or later

HOTFIXUpdate SIPROTEC 5 relays with CP200 CPU and Ethernet to firmware version V7.58 or later

Long-term hardening

0/2

HARDENINGApply network segmentation to isolate EN100 and SIPROTEC 5 devices from untrusted networks; restrict inbound TCP access to only trusted engineering and SCADA systems

HARDENINGMonitor EN100 and SIPROTEC 5 device logs and status for unexpected restarts or communication failures that may indicate exploitation attempts

CVEs (2)

CVE-2018-11451 CVE-2018-11452

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6042b598-b66a-4fe6-aa94-94e8d276dd21

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.