Siemens SISCO MMS-EASE Third Party Component
Plan Patch7.5ICS-CERT ICSA-22-349-14Dec 13, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A vulnerability in the SISCO MMS-EASE third-party component bundled with SIPROTEC 5 protective relays allows remote attackers to trigger a denial of service condition. The affected component is included in all SIPROTEC 5 relay variants across different model numbers and CPU types (CP100, CP200, CP300). Siemens has released firmware updates to address this issue.
What this means
What could happen
An attacker with network access to SIPROTEC 5 protective relay devices could trigger a denial of service condition, causing the relays to become unresponsive and potentially unable to detect or respond to faults on electrical circuits.
Who's at risk
Electric utilities and power distribution operators relying on Siemens SIPROTEC 5 protective relays for circuit protection and fault detection. This affects a wide range of SIPROTEC 5 relay models used in substations and power distribution networks.
How it could be exploited
An attacker sends specially crafted network traffic to the SIPROTEC 5 device exploiting a flaw in the bundled SISCO MMS-EASE component. This causes the device to consume resources abnormally, becoming unresponsive and unable to perform its core protective relay functions.
Prerequisites
- Network access to the SIPROTEC 5 device on the port used by SISCO MMS-EASE
- No authentication required
remotely exploitableno authentication requiredlow complexityhigh availability impact (denial of service to protective relays)
Exploitability
Moderate exploit probability (EPSS 1.0%)
Affected products (49)
49 with fix
ProductAffected VersionsFix Status
SIPROTEC 5 7SL87 (CP200)<V7.587.58
SIPROTEC 5 7SL87 (CP300)<V7.587.58
SIPROTEC 5 7SS85 (CP200)<V7.587.58
SIPROTEC 5 7SS85 (CP300)<V7.587.58
SIPROTEC 5 7ST85 (CP200)<V7.627.62
Remediation & Mitigation
0/3
Do now
0/1WORKAROUNDRestrict network access to SIPROTEC 5 devices using firewall rules to allow only necessary engineering and monitoring traffic
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate all SIPROTEC 5 devices to firmware version 7.58 or later (7.80 for 6MD89, 7VE85, 7KE85, and 7ST85 devices)
Long-term hardening
0/1HARDENINGIsolate SIPROTEC 5 protective relay devices from the business network using a segregated OT network or DMZ
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/fe4e7650-09ea-4b86-8f12-f323395cc37a