OTPulse

Siemens RADIUS Client of SIPROTEC 5 Devices

Plan PatchCVSS 7.5ICS-CERT ICSA-23-080-04Mar 14, 2023
Siemens
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

The RADIUS client implementation in SIPROTEC 5 protective relays (based on VxWorks) contains an infinite loop vulnerability that causes a denial of service when the relay receives a specially crafted RADIUS packet from its configured RADIUS server. The affected devices span multiple relay types (distance, overcurrent, differential, earth fault, and field protection relays) running firmware versions V7.80 to V9.29 (depending on model). When triggered, the relay's RADIUS client crashes, rendering the protective relay unavailable until manual restart. Most products are fixed in firmware version 9.30; however, the SIPROTEC 5 6MD89 (CP300) has no patch available.

What this means
What could happen
An attacker with network access to a RADIUS server that communicates with SIPROTEC 5 relays could send a malformed packet that crashes the relay's RADIUS client, causing the protective relay to become unavailable and potentially disabling critical power distribution or generation protection.
Who's at risk
Operators of electrical utilities, power distribution companies, and substations using SIPROTEC 5 protective relays for power distribution, generation, or sub-transmission protection should assess this risk. Affected devices include distance relays (7SA, 7SD, 7SJ, 7SK, 7SL, 7SS, 7ST, 7SX families), overcurrent relays (7UT, 7UM), voltage relays (7VE), differential relays (7VK), field protection relays (7KE), earth fault relays (6MD, 6MU), and their associated communication modules. If these relays use RADIUS authentication for management access, they are at risk.
How it could be exploited
An attacker must first have network access to the RADIUS server that the SIPROTEC 5 relay is configured to authenticate against. The attacker then crafts and sends a specially designed RADIUS packet. When the relay receives this packet from the RADIUS server, its RADIUS client crashes, disabling the relay and halting its protective functions until it is manually rebooted.
Prerequisites
  • Network access to the RADIUS server that the SIPROTEC 5 device authenticates to
  • RADIUS authentication configured and enabled on the target SIPROTEC 5 device
  • Affected firmware version installed (V7.80 to V9.29, depending on device model)
Remotely exploitable if RADIUS server is reachableNo authentication required at relay (RADIUS server itself must be compromised or packet must originate from trusted RADIUS server)Low attack complexityNo patch available for SIPROTEC 5 6MD89 (CP300)Affects safety-critical protective systems in power networks
Exploitability
Unlikely to be exploited — EPSS score 0.5%
Affected products (28)
27 with fix1 pending
ProductAffected VersionsFix Status
SIPROTEC 5 6MD85 (CP300)≥ V7.80 <V9.309.30
SIPROTEC 5 6MD86 (CP300)≥ V7.80 <V9.309.30
SIPROTEC 5 6MD89 (CP300)≥ V7.80No fix yet
SIPROTEC 5 6MU85 (CP300)≥ V7.90 <V9.309.30
SIPROTEC 5 7KE85 (CP300)≥ V7.80 <V9.309.30
Remediation & Mitigation
0/5
Do now
0/1
SIPROTEC 5 6MD85 (CP300)
WORKAROUNDFor SIPROTEC 5 6MD89 (CP300) with no available fix, implement compensating controls: disable RADIUS authentication if not critical, or ensure the device is not reachable from untrusted networks
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SIPROTEC 5 devices to firmware version 9.30 or later
Long-term hardening
0/3
HARDENINGEnsure RADIUS server is properly secured and hardened; restrict who can access and configure it
HARDENINGProtect RADIUS pre-shared key with access controls and encryption; rotate the key periodically
HARDENINGImplement network segmentation to isolate SIPROTEC 5 relays from untrusted networks; restrict communication to only trusted RADIUS servers
View full CISA ICS-CERT advisory
API: /api/v1/advisories/e0cf4573-0ce6-4664-9ea3-bc66f4fd26f9

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.