Siemens SIPROTEC 5 and DIGSI 5 (Update C)
Plan Patch7.5ICS-CERT ICSA-19-190-05Jul 9, 2019
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
SIPROTEC 5 protection and control relays and DIGSI 5 engineering software contain improper input validation flaws in their Ethernet communication modules. An attacker can send a crafted network packet to cause the device to crash or hang, resulting in denial of service. The affected device types span a wide range of SIPROTEC 5 models used in power transmission and distribution. Device types with CP300 and CP100 CPU variants have firmware patches available (v7.90 or v8.01 depending on model). Device types with CP200 variants have patches available up to v7.59. However, many SIPROTEC 5 device models have no available patch and will remain vulnerable. For unpatched devices, the client authorization feature can be activated as a compensating control. Network segmentation to restrict access to SIPROTEC 5 devices is also recommended.
What this means
What could happen
An attacker with network access to a SIPROTEC 5 device can crash it or cause a denial of service, disrupting protection and monitoring of power transmission and distribution lines. Some device types have no available patch and remain at continuous risk.
Who's at risk
Power utilities operating Siemens SIPROTEC 5 protection and control relays used in transmission and distribution systems should prioritize patching. SIPROTEC 5 device types 6MD85, 6MD86, 6MD89, 7UM85, 7SA87, 7SD87, 7SL87, 7VK87, 7SA82, 7SA86, 7SD82, 7SD86, 7SL82, 7SL86, 7SJ86, 7SK82, 7SK85, 7SJ82, 7SJ85, 7UT82, 7UT85, 7UT86, 7UT87, and 7VE85 with CP300/CP100 CPUs, as well as 7SS85 and 7KE85 types, can be patched. Other SIPROTEC 5 variants and CP200 variants have limited or no remediation options and should be protected via network controls and workarounds. Engineering teams using DIGSI 5 software must also update to v7.90 or later.
How it could be exploited
An attacker sends a specially crafted network packet to the Ethernet communication module of a SIPROTEC 5 device or DIGSI 5 workstation. The device does not properly validate the input, leading to a crash or hang that stops the device from functioning until it is manually restarted. No authentication is required.
Prerequisites
- Network access to the Ethernet port of the SIPROTEC 5 device or DIGSI 5 engineering workstation (port not specified in advisory; assume standard industrial Ethernet access)
- Target device running an affected firmware version
- Device must be reachable from the attacker's network position (internal or external, depending on network architecture)
Remotely exploitable over EthernetNo authentication requiredLow attack complexityCauses denial of service to protection relaysSome device types have no fix availableAffects critical power infrastructure protection systems
Exploitability
Low exploit probability (EPSS 0.5%)
Affected products (6)
4 with fix2 pending
ProductAffected VersionsFix Status
SIPROTEC 5 device types 6MD85, 6MD86, 6MD89, 7UM85, 7SA87, 7SD87, 7SL87, 7VK87, 7SA82, 7SA86, 7SD82, 7SD86, 7SL82, 7SL86, 7SJ86, 7SK82, 7SK85, 7SJ82, 7SJ85, 7UT82, 7UT85, 7UT86, 7UT87 and 7VE85 with CPU variants CP300 and CP100 and the respective Ethernet communication modules: <V7.90<V7.907.90
SIPROTEC 5 device types 7SS85 and 7KE85: All<V8.018.01
All other SIPROTEC 5 device types with CPU variants CP300 and CP100 and the respective Ethernet communication modules: vers:all/*All versionsNo fix yet
SIPROTEC 5 device types with CPU variants CP200 and the respective Ethernet communication modules: All versionsAll versionsNo fix yet
DIGSI 5 engineering software: All<V7.907.90
SIPROTEC 5 device types with CPU variants CP200 and the respective Ethernet communication modules: All<V7.597.59
Remediation & Mitigation
0/7
Do now
0/1WORKAROUNDFor SIPROTEC 5 device types 6MD85, 6MD86, 6MD89, 7UM85, 7SA87, 7SD87, 7SL87, 7VK87, 7SA82, 7SA86, 7SD82, 7SD86, 7SL82, 7SL86, 7SJ86, 7SK82, 7SK85, 7SJ82, 7SJ85, 7UT82, 7UT85, 7UT86, 7UT87, and 7VE85 (CP300/CP100) without patch updates available, activate the client authorization feature to restrict network access to trusted engineering workstations
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
HOTFIXUpdate SIPROTEC 5 device types 6MD85, 6MD86, 6MD89, 7UM85, 7SA87, 7SD87, 7SL87, 7VK87, 7SA82, 7SA86, 7SD82, 7SD86, 7SL82, 7SL86, 7SJ86, 7SK82, 7SK85, 7SJ82, 7SJ85, 7UT82, 7UT85, 7UT86, 7UT87, and 7VE85 (CP300/CP100) to firmware version 7.90 or later
HOTFIXUpdate SIPROTEC 5 device types 7SS85 and 7KE85 to firmware version 8.01 or later
HOTFIXUpdate DIGSI 5 engineering software to version 7.90 or later
HOTFIXUpdate SIPROTEC 5 device types with CP200 variant to firmware version 7.59 or later
Long-term hardening
0/2HARDENINGImplement network segmentation to restrict Ethernet access to SIPROTEC 5 devices and DIGSI 5 workstations to authorized engineering and administrative networks only
HARDENINGMonitor SIPROTEC 5 device status for unexpected restarts or loss of communication that may indicate denial of service attack attempts
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/45c82f02-1877-48aa-ae15-15c3da7464c2