OTPulse
FeedAboutContact

Siemens SIPROTEC 5 (Update A)

Plan Patch7.5ICS-CERT ICSA-21-257-16Sep 14, 2021
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

SIPROTEC 5 relays contain a vulnerability in the web interface that allows unauthorized users to cause a Denial-of-Service situation by sending maliciously crafted web requests. This affects CP050, CP100, and CP300 CPU variants with firmware versions below 8.80. The vulnerability is in the input validation mechanism (CWE-20).

What this means
What could happen
An attacker could crash the relay's web interface or cause it to become unresponsive, disrupting remote monitoring and control of power protection systems. In systems relying on SIPROTEC 5 for secondary protection of critical power infrastructure, a DoS could delay response to faults or complicate grid operations.
Who's at risk
Power utilities and TSO/DSO operators worldwide using SIPROTEC 5 relays (CP050, CP100, CP300 variants) for secondary protection of transmission and distribution systems. This includes any organization running these relays as redundant protection schemes for substations or critical power grid assets.
How it could be exploited
An attacker with network access to the web interface on port 4443/TCP can send crafted HTTP requests to trigger the input validation flaw, causing the web service to crash or hang. No authentication is required. The attacker does not need to be on the same network segment if the relay is internet-facing or accessible across network boundaries.
Prerequisites
  • Network access to port 4443/TCP on the SIPROTEC 5 relay
  • No authentication credentials required
  • Ability to craft and send HTTP requests to the web interface
remotely exploitableno authentication requiredlow complexityaffects critical power protection systems
Exploitability
Low exploit probability (EPSS 0.6%)
Affected products (3)
3 with fix
ProductAffected VersionsFix Status
SIPROTEC 5 relays with CPU variants CP050<V8.808.80
SIPROTEC 5 relays with CPU variants CP100<V8.808.80
SIPROTEC 5 relays with CPU variants CP300<V8.808.80
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDBlock inbound access to port 4443/TCP at the firewall or network boundary to restrict access to the web interface
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SIPROTEC 5 relays (CP050, CP100, CP300) to firmware version 8.80 or later
Long-term hardening
0/2
HARDENINGIsolate SIPROTEC 5 relays on a protected subnetwork segmented from untrusted networks and the business network
HARDENINGImplement multi-level redundant secondary protection schemes to ensure grid resilience in case one relay becomes unavailable
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/b3a3ccfa-b7a1-4bab-b5a4-38382154d29f