Siemens SIPROTEC 5 relays (Update A)

Act Now9.8ICS-CERT ICSA-21-257-10Sep 14, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A buffer overflow vulnerability (CWE-120) in SIPROTEC 5 relays with CPU variants CP050, CP100, and CP300 running firmware versions below 8.80 allows remote attackers to trigger denial-of-service or potential remote code execution by sending crafted packets to port 4443/TCP. No authentication is required. Siemens has released firmware version 8.80 or later to fix the vulnerabilities. The advisory notes that public exploits are not yet known, and operators are recommended to apply security updates and implement network segmentation to minimize the risk.

What this means

What could happen

A remote attacker could cause a SIPROTEC 5 relay to stop responding to commands or potentially execute arbitrary code on the device, disrupting power grid protection and control functions that prevent outages and equipment damage.

Who's at risk

Utilities operating Siemens SIPROTEC 5 protective relays in power transmission and distribution systems should be concerned. These relays are critical secondary protection devices that detect faults and prevent cascading outages. The vulnerability affects all three CPU variants (CP050, CP100, CP300) used in substations and control centers.

How it could be exploited

An attacker with network access to port 4443/TCP on a SIPROTEC 5 relay can send a malformed packet to trigger a buffer overflow (CWE-120) that crashes the device or, under certain conditions, runs arbitrary code on the relay's CPU.

Prerequisites

Network access to port 4443/TCP on the SIPROTEC 5 relay
No authentication required
Vulnerable firmware version (below 8.80 on any CP050, CP100, or CP300 variant)

Remotely exploitableNo authentication requiredLow complexity exploitationHigh CVSS score (9.8)Affects critical grid protection systemsDenial-of-service impact confirmedRemote code execution possible under specific conditions

Exploitability

Low exploit probability (EPSS 0.6%)

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

SIPROTEC 5 relays with CPU variants CP050<V8.808.80

SIPROTEC 5 relays with CPU variants CP100<V8.808.80

SIPROTEC 5 relays with CPU variants CP300<V8.808.80

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDBlock inbound access to port 4443/TCP using firewall rules or network access control lists

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SIPROTEC 5 relays (CP050, CP100, CP300) to firmware version 8.80 or later

Long-term hardening

0/2

HARDENINGPlace SIPROTEC 5 relays on an isolated network segment behind a firewall, separate from business networks and the Internet

HARDENINGReview and validate that redundant secondary protection schemes are in place to maintain grid resilience in case a relay is compromised

CVEs (2)

CVE-2021-33719 CVE-2021-33720

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8722a236-dbcd-447f-a1c1-395595e958b3