ICSA-19-190-04 Siemens Spectrum Power (Update A)
Monitor4.7ICS-CERT ICSA-19-190-04Jul 9, 2019
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
Siemens Spectrum Power Corporate User Interface versions 3, 4, 5, and 7 contain a cross-site scripting (XSS) vulnerability (CWE-80) that allows an attacker to inject malicious scripts into web pages viewed by authenticated users. An attacker can exploit this by crafting a malicious link and tricking a user into clicking it while logged into the Spectrum Power interface. If successful, the attacker can execute arbitrary code in the user's browser session context, potentially stealing credentials or issuing unauthorized commands to the power management system.
What this means
What could happen
An attacker could inject malicious scripts into Spectrum Power web interface pages viewed by operators or engineers, potentially leading to credential theft or unauthorized changes to power system configuration through the user's browser session.
Who's at risk
Electric utility and power generation operators using Siemens Spectrum Power corporate user interface (versions 3 through 7) for power system configuration and monitoring. All users of the web-based Spectrum Power interface are potentially affected if the system is accessible from the Internet.
How it could be exploited
An attacker crafts a malicious link containing injected script and sends it to a Spectrum Power user (via email or other means). When the user clicks the link while authenticated to the web interface, the script executes in their browser with their session privileges, allowing the attacker to steal credentials or send unauthorized commands to the power management system.
Prerequisites
- User must click a malicious link while authenticated to Spectrum Power web interface
- Spectrum Power UI must be accessible from the attacker's network location (typically the Internet)
- User must be an authorized operator or engineer with session access
Remotely exploitableNo authentication required for injectionLow complexity attackNo patch available from vendorAffects power system configuration
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (4)
4 EOL
ProductAffected VersionsFix Status
Spectrum Power 7 (Corporate User Interface)≤ v2.20No fix (EOL)
Spectrum Power 3 (Corporate User Interface)≤ v3.11No fix (EOL)
Spectrum Power 4 (Corporate User Interface)v4.75No fix (EOL)
Spectrum Power 5 (Corporate User Interface)<v5.50No fix (EOL)
Remediation & Mitigation
0/5
Do now
0/1HARDENINGBlock Internet access to Spectrum Power UI clients using firewall rules or network segmentation
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HARDENINGConduct security training for operators and engineers on recognizing and avoiding suspicious links in emails and messages
HOTFIXContact Siemens Energy Customer Support Center (support.energy@siemens.com) for vendor patch availability and installation procedures
Mitigations - no patch available
0/2The following products have reached End of Life with no planned fix: Spectrum Power 7 (Corporate User Interface), Spectrum Power 3 (Corporate User Interface), Spectrum Power 4 (Corporate User Interface), Spectrum Power 5 (Corporate User Interface). Apply the following compensating controls:
HARDENINGApply network segmentation to isolate Spectrum Power systems from the business network behind firewalls
HARDENINGIf remote access is needed, require use of VPN with current security patches and ensure connected devices are hardened
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/6eb66e81-abac-4c95-b4db-c927d5a298fa