OTPulse

Siemens EN100 Ethernet Module (Update A)

Plan PatchCVSS 7.5ICS-CERT ICSA-19-344-07Dec 10, 2019
Siemens
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

The Siemens EN100 Ethernet module contains buffer overflow and input validation flaws (CWE-119, CWE-79, CWE-23) that allow unauthenticated attackers on the network to trigger a denial of service condition. The vulnerability affects the device's HTTP and HTTPS services (ports 80 and 443). The EN100 is a communication gateway used in power substations and industrial control systems to bridge Ethernet networks with industrial protocols including IEC 61850, PROFINET IO, Modbus TCP, DNP3, and IEC 104. Attack success results in device unavailability, which can disrupt real-time communications between substations and control centers.

What this means
What could happen
An attacker with network access to the EN100 module could cause a denial of service by exhausting device resources, potentially interrupting communications between power grid substations and control systems that rely on Ethernet connectivity for status monitoring and commands.
Who's at risk
Owners of Siemens EN100 Ethernet modules used in power grid substations and industrial control networks should be concerned. These devices act as communication gateways for multiple protocols (IEC 61850, PROFINET, Modbus TCP, DNP3, IEC 104) that connect field equipment to control centers. Power utilities, municipal electric authorities, and industrial facilities managing critical infrastructure are most affected.
How it could be exploited
An attacker on the network could send specially crafted packets to Port 80 or 443 on the EN100 module, triggering a buffer overflow or input validation flaw that consumes CPU or memory resources. Once the device becomes unresponsive, grid control commands and status updates cannot reach the substation equipment it manages.
Prerequisites
  • Network access to TCP ports 80 and/or 443 on the EN100 module
  • No authentication required
  • EN100 module must be reachable from the attacker's network segment
remotely exploitableno authentication requiredlow complexityaffects power grid operationsno patch available for most variantsdenial of service impact
Exploitability
Unlikely to be exploited — EPSS score 0.4%
Affected products (5)
1 with fix4 EOL
ProductAffected VersionsFix Status
EN100 Ethernet module PROFINET IO variant: All versionsAll versionsNo fix (EOL)
EN100 Ethernet module Modbus TCP variant: All versionsAll versionsNo fix (EOL)
EN100 Ethernet module DNP3 variant: All versionsAll versionsNo fix (EOL)
EN100 Ethernet module IEC104 variant: All versionsAll versionsNo fix (EOL)
EN100 Ethernet module IEC 61850 variant: All<V4.37v4.37
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDBlock inbound access to TCP ports 80 and 443 on all EN100 variants using firewall rules or network segmentation
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate EN100 IEC 61850 variant to firmware version 4.37 or later
Mitigations - no patch available
0/2
The following products have reached End of Life with no planned fix: EN100 Ethernet module PROFINET IO variant: All versions, EN100 Ethernet module Modbus TCP variant: All versions, EN100 Ethernet module DNP3 variant: All versions, EN100 Ethernet module IEC104 variant: All versions. Apply the following compensating controls:
HARDENINGImplement network segmentation to isolate EN100 modules from untrusted network segments and limit lateral movement
HARDENINGRestrict network access to the EN100 module to only authorized engineering workstations and control system hosts
View full CISA ICS-CERT advisory
API: /api/v1/advisories/130603b3-b066-444b-89b4-6a9102d81c5a

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.