ICSA-19-043-02 Siemens EN100 Ethernet Communication Module and SIPROTEC 5 Relays
Monitor7.5ICS-CERT ICSA-19-043-02Feb 12, 2019
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
The EN100 Ethernet Communication Module and SIPROTEC 5 relays contain an improper input validation flaw in their network protocol handlers (IEC 61850, MODBUS TCP, DNP3 TCP, IEC 60870-5-104, and PROFINET IO). A malformed packet sent to the device on its configured protocol port can crash the Ethernet communication module, causing loss of communication and protection relay function. The vulnerability affects firmware versions before V4.35 for EN100 (IEC 61850 variant), all firmware versions of EN100 (MODBUS TCP, DNP3 TCP, IEC 104, and PROFINET IO variants), and SIPROTEC 5 relays with CP300/CP100 before V7.82 and CP200 before V7.58.
What this means
What could happen
An attacker on the network could send a malformed packet to crash the EN100 Ethernet module or SIPROTEC 5 relay, causing the protection device to go offline and leaving the power grid or critical infrastructure unprotected.
Who's at risk
Operators of electrical substations, generation facilities, and power distribution networks using Siemens SIPROTEC 5 protective relays (which depend on EN100 Ethernet communication modules to send trip signals) should assess whether their devices are affected. Any protection relay model using CP100, CP200, or CP300 CPU cards is at risk.
How it could be exploited
An attacker with network access to port 102 (IEC 61850), 502 (MODBUS TCP), 20000 (DNP3 TCP), 2404 (IEC 60870-5-104), or 34962 (PROFINET) can send a crafted packet that violates input validation checks, causing the communication module to crash and stop relaying protection signals.
Prerequisites
- Network access to the EN100 Ethernet module or SIPROTEC 5 relay on the configured protocol port
- Device must be deployed and in-service on the network
- No authentication or credentials required to send the malformed packet
remotely exploitableno authentication requiredlow complexity attackaffects safety and protection systemsavailability impact via denial of service
Exploitability
Low exploit probability (EPSS 0.5%)
Affected products (7)
7 pending
ProductAffected VersionsFix Status
Firmware variant IEC 61850 for EN100 Ethernet module<V4.35No fix yet
Firmware variant MODBUS TCP for EN100 Ethernet moduleAll versionsNo fix yet
Firmware variant DNP3 TCP for EN100 Ethernet moduleAll versionsNo fix yet
Firmware variant IEC104 for EN100 Ethernet moduleAll versionsNo fix yet
Firmware variant Profinet IO for EN100 Ethernet moduleAll versionsNo fix yet
SIPROTEC 5 relays with CPU variants CP300 and CP100 and the respective<V7.82No fix yet
SIPROTEC 5 relays with CPU variants CP200 and the respective Ethernet<V7.58No fix yet
Remediation & Mitigation
0/5
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
HOTFIXUpdate EN100 Ethernet module firmware to V4.35 or later
HOTFIXUpdate SIPROTEC 5 CP300/CP100 Ethernet communication modules to firmware V7.82 or later
HOTFIXUpdate SIPROTEC 5 CP200 Ethernet communication modules to firmware V7.58 or later
Long-term hardening
0/2HARDENINGIsolate EN100 Ethernet modules and SIPROTEC 5 relays to a protected network segment behind a firewall; restrict access to management and protocol ports from untrusted networks
HARDENINGMonitor network traffic to these devices for malformed or unexpected packets on protocol ports
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/79489dca-67c6-45be-ab85-31eb6d9a661d