Siemens SPPA-T3000 (Update A)
Plan PatchCVSS 9.8ICS-CERT ICSA-19-351-02Dec 10, 2019
SiemensEnergy
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
SPPA-T3000 Application Server and MS3000 Migration Server contain multiple vulnerabilities including unsafe deserialization (CWE-502), weak input validation (CWE-20), and insecure file upload (CWE-434) that can allow remote code execution. The Application Server listens on multiple ports (80, 8090, 8095, 8080, 1099, 5010, 8888, 7061) on the Application Highway and Automation Highway networks. According to the vendor, risk is mitigated if these highways are properly isolated from untrusted networks per the SPPA-T3000 security manual—the highways must not be exposed to external networks or the Internet.
What this means
What could happen
An attacker with network access to the Application or Automation Highway could execute arbitrary code on the SPPA-T3000 Application Server, potentially allowing them to alter control logic, modify setpoints, or shut down power generation and grid management systems.
Who's at risk
This affects power generation and grid management operators who run Siemens SPPA-T3000 systems. The vulnerability impacts the Application Server (which controls the overall system logic) and MS3000 Migration Server (used for system upgrades and data migration). Organizations in the energy sector with these systems connected to supervisory networks need immediate attention.
How it could be exploited
An attacker on the Application Highway or Automation Highway network can send malicious input to the vulnerable SPPA-T3000 Application Server listening on ports 80, 8090, 8095, 8080, 1099, 5010, 8888, or 7061. The input can trigger unsafe deserialization, code injection, or file upload vulnerabilities, resulting in remote code execution on the server. The MS3000 Migration Server is similarly reachable from these highways and can be exploited for unauthorized access.
Prerequisites
- Network access to Application Highway or Automation Highway
- Access to one of the following ports: 80/TCP, 8090/TCP, 8095/TCP, 8080/TCP, 1099/TCP, 5010/TCP, 8888/TCP, or 7061/TCP
- No authentication required to exploit
Remotely exploitable from internal networkNo authentication requiredLow attack complexityHigh EPSS score (11.5%)Affects supervisory control systemsMS3000 has no fix available
Exploitability
Some exploitation risk — EPSS score 9.2%
Affected products (2)
1 with fix1 EOL
ProductAffected VersionsFix Status
SPPA-T3000 Application Server<Service Pack R8.2 SP2Service Pack R8.2 SP2+
SPPA-T3000 MS3000 Migration ServerAll versionsNo fix (EOL)
Remediation & Mitigation
0/7
Do now
0/4WORKAROUNDFor MS3000 Migration Server, implement configuration recommendations from Siemens Energy Customer Portal and security manual (no vendor patch available)
HARDENINGRestrict access to the Application Highway using the built-in SPPA-T3000 Firewall
HARDENINGDo not bridge external networks to the Application Highway or Automation Highway; connect external components only to the DMZ
HARDENINGBlock or monitor inbound access to ports 80/TCP, 8090/TCP, 8095/TCP, 8080/TCP, 1099/TCP, 5010/TCP, 8888/TCP, and 7061/TCP at the network perimeter
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
SPPA-T3000 Application Server
HOTFIXUpgrade SPPA-T3000 Application Server to Service Pack R8.2 SP2 or later (contact Siemens service management for the update)
Mitigations - no patch available
0/2SPPA-T3000 MS3000 Migration Server has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGEnsure SPPA-T3000 is not accessible from the Internet; place behind firewall and isolate from business network
HARDENINGImplement mitigations described in the SPPA-T3000 security manual
CVEs (54)
CVE-2018-4832CVE-2019-18283CVE-2019-18286CVE-2019-18287CVE-2019-18288CVE-2019-18293CVE-2019-18294CVE-2019-18295CVE-2019-18296CVE-2019-18297CVE-2019-18298CVE-2019-18299CVE-2019-18300CVE-2019-18302CVE-2019-18284CVE-2019-18285CVE-2019-18289CVE-2019-18290CVE-2019-18291CVE-2019-18292CVE-2019-18301CVE-2019-18303CVE-2019-18304CVE-2019-18305CVE-2019-18306CVE-2019-18307CVE-2019-18308CVE-2019-18309CVE-2019-18310CVE-2019-18311CVE-2019-18312CVE-2019-18313CVE-2019-18314CVE-2019-18315CVE-2019-18316CVE-2019-18317CVE-2019-18318CVE-2019-18319CVE-2019-18320CVE-2019-18321CVE-2019-18322CVE-2019-18323CVE-2019-18324CVE-2019-18325CVE-2019-18326CVE-2019-18327CVE-2019-18328CVE-2019-18329CVE-2019-18330CVE-2019-18331CVE-2019-18332CVE-2019-18333CVE-2019-18334CVE-2019-18335
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/035b55a2-b0c5-4f99-a7a1-334aed7d5d67Get OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.