Siemens SIPROTEC 5 Devices

Plan Patch7.5ICS-CERT ICSA-23-103-06Apr 11, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SIPROTEC 5 devices contain a null pointer dereference vulnerability in the web service. An unauthenticated attacker can send a maliciously crafted HTTP request to trigger a crash of the web service, causing a denial of service condition. The affected devices are protection relays and communication modules used throughout electric utility power distribution and transmission grids.

What this means

What could happen

An attacker can send a malicious HTTP request to the web interface of a SIPROTEC 5 device, causing it to crash and become unavailable. This denial of service could take protection relays offline, disrupting grid monitoring, control, and protective relay operations.

Who's at risk

Electrical utilities and power distribution operators running SIPROTEC 5 protection relays. Affects 40+ relay models and communication modules used in substation protection schemes for transmission and distribution grids. Organizations responsible for grid stability and backup protection systems should prioritize devices in critical protection chains.

How it could be exploited

An attacker on a network with access to the SIPROTEC 5 web service (port 4443/TCP) sends a crafted HTTP request. The device's web service attempts to process the request, dereferences a null pointer in memory, and crashes. The device becomes unresponsive until manually restarted.

Prerequisites

Network access to port 4443/TCP on the SIPROTEC 5 device
No authentication required
Device running affected firmware version

remotely exploitableno authentication requiredlow complexityaffects critical power grid protection systemshigh availability impact (denial of service)

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (46)

46 with fix

ProductAffected VersionsFix Status

SIPROTEC 5 7SL86 (CP300)≥ 7.80, < 9.409.40

SIPROTEC 5 7SL87 (CP300)≥ 7.80, < 9.409.40

SIPROTEC 5 6MD85 (CP300)≥ 7.80, < 9.409.40

SIPROTEC 5 6MD86 (CP300)≥ 7.80, < 9.409.40

SIPROTEC 5 6MD89 (CP300)≥ 7.80, < 9.649.64

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDBlock access to port 4443/TCP with a firewall, limiting connections to authorized engineering workstations and control center networks only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

SIPROTEC 5 7SA82 (CP100)

HOTFIXUpdate firmware to patched version (9.40 for most devices, 9.64 for 6MD89 and 7ST85, 8.89-8.90 for CP100/CP150 variants per product)

Long-term hardening

0/1

HARDENINGSegment the protection relay network from untrusted networks using VPN or network isolation to limit unauthenticated access to the web interface

CVEs (1)

CVE-2023-28766

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c905a395-bb51-44bf-ae54-f275d5df6f61