Siemens Third-Party Component in SICAM and SITIPE Products

Plan Patch8.2ICS-CERT ICSA-24-256-16Sep 10, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A buffer overflow vulnerability exists in the IEC 61850 Client library from Triangle MicroWorks, which is used by multiple Siemens substation automation products. An unauthenticated remote attacker can send specially crafted MMS (Manufacturing Message Specification) messages over the network to trigger the overflow, causing the affected component to crash and become unavailable. The vulnerability affects: ET85 Ethernet Interface IEC61850 (versions before 03.27), ETI5 Ethernet Interface 1x100TX IEC61850 (versions before 05.30), SICAM SCC (versions before 9.14 HF2), and SITIPE AT (versions before 3.21). The affected products are used in SICAM A8000, SICAM EGS, SICAM S8000 device firmware, and SITIPE AT protection systems for substation control and protection applications.

What this means

What could happen

A remote attacker could send malicious network messages to cause a denial of service condition on SICAM and SITIPE devices, interrupting communication and control functions for substations or power systems. This could prevent operators from remotely monitoring or controlling equipment.

Who's at risk

Owners and operators of Siemens substation automation equipment should be concerned. This affects SICAM substation control and monitoring systems (A8000, EGS, S8000, and SCC models) and SITIPE AT protection systems used in electric utilities and large industrial facilities. Specifically, any installation using ET85 or ETI5 Ethernet interface cards for IEC 61850 communication is at risk, as well as deployments of SICAM SCC or SITIPE AT software.

How it could be exploited

An attacker on the network (or network-adjacent) sends specially crafted IEC 61850 MMS (Manufacturing Message Specification) messages to the vulnerable Ethernet interface cards or software applications. The buffer overflow in the Triangle MicroWorks IEC 61850 Client library crashes the component, causing the device or software to become unresponsive and unable to communicate.

Prerequisites

- Network access to the affected device or application on the IEC 61850 communication port (typically 102/tcp) - No authentication or valid credentials required - Device must be operational and listening for MMS messages

Remotely exploitableNo authentication requiredLow complexity attackAffects critical substation and protection systemsDenial of service impact on control functions

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

ET85 Ethernet Interface IEC61850 Ed.2< 03.2703.27

ETI5 Ethernet Int. 1x100TX IEC61850< 05.3005.30

SICAM SCC<V9.14 HF29.14 HF2

SITIPE AT< 3.213.21

Remediation & Mitigation

0/6

Do now

0/1

WORKAROUNDImplement network firewall rules to restrict access to IEC 61850 ports (typically port 102) to only authorized engineering workstations and SCADA master systems

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

SICAM SCC

HOTFIXUpdate SICAM SCC to version 9.14 HF2 or V10.0 or later

SITIPE AT

HOTFIXUpdate SITIPE AT to version 3.21 or later

All products

HOTFIXUpdate ET85 Ethernet Interface IEC61850 firmware to version 03.27 or later

HOTFIXUpdate ETI5 Ethernet Interface 1x100TX IEC61850 firmware to version 05.30 or later (included in CP-8031/CP-8050 Package V5.30)

Long-term hardening

0/1

HARDENINGSegment SICAM and SITIPE devices onto a protected network with restricted access from untrusted networks

CVEs (1)

CVE-2024-34057

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/1f35b81c-fb62-4d84-bb48-29d1b42476ef