ICSA-19-038-02 Siemens EN100 Ethernet Module

Plan PatchCVSS 7.5ICS-CERT ICSA-19-038-02Jan 8, 2019

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The Siemens EN100 Ethernet module with IEC 61850 firmware prior to version 4.33 contains an input validation flaw (CWE-20) that allows an attacker to send malformed packets to port 102/TCP, causing the module to crash or become unresponsive. This disrupts IEC 61850 communication between control system devices and engineering workstations, potentially interrupting data exchange for monitoring and control operations. The vulnerability requires only network access; no credentials or user interaction are needed to trigger it.

What this means

What could happen

An attacker can trigger a denial-of-service condition on the EN100 Ethernet module, causing it to become unresponsive and disrupting communication between your control system devices and the engineering network over IEC 61850 protocol.

Who's at risk

Operators of utility automation and power distribution control systems using Siemens EN100 Ethernet modules with IEC 61850 protocol firmware older than version 4.33. This includes water authorities and electric utilities using Siemens SCADA gateway or substation automation equipment that relies on IEC 61850 communication.

How it could be exploited

An attacker with network access to port 102/TCP on the EN100 module can send specially crafted packets that cause the module to crash or stop responding. The module communicates control system data over IEC 61850, so when it becomes unavailable, devices relying on that communication path can lose synchronization or cease operation.

Prerequisites

Network access to EN100 Ethernet module on port 102/TCP
No authentication required

remotely exploitableno authentication requiredlow complexityaffects critical communication infrastructure

Exploitability

Unlikely to be exploited — EPSS score 0.7%

Affected products (1)

ProductAffected VersionsFix Status

Firmware variant IEC 61850 for EN100 Ethernet module<V4.334.33

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDBlock inbound access to port 102/TCP at network boundary and segment control system network from business network

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate firmware to version 4.33 or later on affected EN100 Ethernet modules

Long-term hardening

0/1

HARDENINGImplement network segmentation and place control system devices behind firewall; minimize Internet-facing exposure of all EN100 modules

CVEs (2)

CVE-2018-11451 CVE-2018-11452

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/095a236a-a1d4-41cc-90c2-618f6b8d7d5f

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.