ICSA-19-190-04 Siemens Spectrum Power (Update A)

MonitorCVSS 4.7ICS-CERT ICSA-19-190-04Jul 9, 2019

SiemensEnergy

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Siemens Spectrum Power Corporate User Interface versions 3, 4, 5, and 7 contain a cross-site scripting (XSS) vulnerability (CWE-80) that allows an attacker to inject malicious scripts into web pages viewed by authenticated users. An attacker can exploit this by crafting a malicious link and tricking a user into clicking it while logged into the Spectrum Power interface. If successful, the attacker can execute arbitrary code in the user's browser session context, potentially stealing credentials or issuing unauthorized commands to the power management system.

What this means

What could happen

An attacker could inject malicious scripts into Spectrum Power web interface pages viewed by operators or engineers, potentially leading to credential theft or unauthorized changes to power system configuration through the user's browser session.

Who's at risk

Electric utility and power generation operators using Siemens Spectrum Power corporate user interface (versions 3 through 7) for power system configuration and monitoring. All users of the web-based Spectrum Power interface are potentially affected if the system is accessible from the Internet.

How it could be exploited

An attacker crafts a malicious link containing injected script and sends it to a Spectrum Power user (via email or other means). When the user clicks the link while authenticated to the web interface, the script executes in their browser with their session privileges, allowing the attacker to steal credentials or send unauthorized commands to the power management system.

Prerequisites

User must click a malicious link while authenticated to Spectrum Power web interface
Spectrum Power UI must be accessible from the attacker's network location (typically the Internet)
User must be an authorized operator or engineer with session access

Remotely exploitableNo authentication required for injectionLow complexity attackNo patch available from vendorAffects power system configuration

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (4)

4 EOL

ProductAffected VersionsFix Status

Spectrum Power 7 (Corporate User Interface)≤ v2.20No fix (EOL)

Spectrum Power 3 (Corporate User Interface)≤ v3.11No fix (EOL)

Spectrum Power 4 (Corporate User Interface)v4.75No fix (EOL)

Spectrum Power 5 (Corporate User Interface)<v5.50No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/1

HARDENINGBlock Internet access to Spectrum Power UI clients using firewall rules or network segmentation

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGConduct security training for operators and engineers on recognizing and avoiding suspicious links in emails and messages

HOTFIXContact Siemens Energy Customer Support Center (support.energy@siemens.com) for vendor patch availability and installation procedures

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: Spectrum Power 7 (Corporate User Interface), Spectrum Power 3 (Corporate User Interface), Spectrum Power 4 (Corporate User Interface), Spectrum Power 5 (Corporate User Interface). Apply the following compensating controls:

HARDENINGApply network segmentation to isolate Spectrum Power systems from the business network behind firewalls

HARDENINGIf remote access is needed, require use of VPN with current security patches and ensure connected devices are hardened

CVEs (1)

CVE-2019-10933

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6eb66e81-abac-4c95-b4db-c927d5a298fa

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.