Siemens SENTRON PAC3200 Devices

Act Now9.8ICS-CERT ICSA-24-284-04Oct 8, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SENTRON PAC3200 provides only a 4-digit PIN to protect administrative access via the Modbus TCP interface. Attackers with network access to the Modbus TCP interface can bypass this protection through brute-force attacks or by capturing credentials from unencrypted Modbus TCP cleartext communication.

What this means

What could happen

An attacker with network access to the Modbus TCP interface could gain administrative control of the power monitoring device and change configuration settings, disable alarms, or disrupt power monitoring and reporting capabilities that your facility relies on.

Who's at risk

This affects any facility using SENTRON PAC3200 power monitoring devices for electrical distribution monitoring and control. Water utilities, electric utilities, manufacturing plants, and data centers that depend on these devices for power system visibility and protection are at risk. Any PAC3200 connected to a network where an attacker might gain access is vulnerable.

How it could be exploited

An attacker on your network (or with routed access to your OT network) sends Modbus TCP commands to port 502 on the PAC3200. The attacker either brute-forces the 4-digit PIN (only 10,000 possible combinations) or sniffs the Modbus cleartext traffic to capture the PIN, then authenticates as an administrator and issues commands to modify device settings or disable monitoring functions.

Prerequisites

Network access to the Modbus TCP interface (typically port 502)
4-digit PIN (attackers can enumerate all 10,000 possibilities relatively quickly)
No network segmentation isolating the PAC3200 from untrusted networks

Remotely exploitable via Modbus TCPNo authentication required (weak 4-digit PIN)Low complexity attack (brute force or sniffing)No patch availableAffects critical infrastructure monitoring systemsCleartext credential transmission

Exploitability

Low exploit probability (EPSS 0.0%)

Affected products (1)

ProductAffected VersionsFix Status

SENTRON 7KM PAC3200All versionsNo fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGImplement network segmentation: isolate PAC3200 devices on a dedicated OT VLAN with strict firewall rules allowing only necessary Modbus TCP traffic from authorized control and monitoring systems

WORKAROUNDConfigure firewall rules to allow Modbus TCP (port 502) only from specific, documented source IP addresses of authorized engineering workstations and SCADA servers

WORKAROUNDIf possible, disable Modbus TCP administrative functions and use read-only access for operational monitoring

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGMonitor and log all Modbus TCP connections to the PAC3200 to detect brute-force attempts

HARDENINGReview and document all devices that have Modbus TCP administrative access to PAC3200 in your network diagram

CVEs (1)

CVE-2024-41798

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8c75969c-bd94-4d84-8ba1-ac7909e14c49