Denial of Service Vulnerability in SIPROTEC 5 Devices
Plan Patch7.5SSA-322980Apr 11, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
SIPROTEC 5 devices contain a null pointer dereference vulnerability in the web service. An attacker can send an unauthenticated, maliciously crafted HTTP request that causes a denial of service condition, crashing the device's protection function. This affects multiple relay models and communication modules across SIPROTEC 5 firmware versions 7.80 and above (up to various versions depending on model). Siemens has released patched firmware versions for all affected products.
What this means
What could happen
An attacker can send a crafted web request to crash a SIPROTEC 5 protection device, causing it to stop monitoring and protecting the power system or substation. While the device is offline, operators lose visibility and control until it is manually restarted.
Who's at risk
Electric utilities and substations using SIPROTEC 5 relays and protection devices for power system monitoring and protection. Affected equipment includes transformer protection relays (7SA82, 7SA86, 7SA87), feeder protection relays (7SD82, 7SD86, 7SD87), distance protection relays (7SJ/7SK/7SL/7ST series), busbar protection (7SS85, 7SX85), and communication modules (ETH-BA-2EL, ETH-BB-2FO, ETH-BD-2FO). Any utility operating these Siemens relays in primary or backup protection schemes is affected.
How it could be exploited
An attacker sends a specially crafted HTTP request to the web service running on a SIPROTEC 5 device. The request triggers a null pointer dereference that crashes the device's web service and potentially the entire protection function. No authentication is required; the attacker only needs network access to the device's web port (typically port 80 or 443).
Prerequisites
- Network access to HTTP/HTTPS port on the SIPROTEC 5 device
- Device must be running a vulnerable firmware version
Remotely exploitableNo authentication requiredLow complexityAffects protection systems critical to power grid stability
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (46)
46 with fix
ProductAffected VersionsFix Status
SIPROTEC 5 6MD85 (CP300)≥ 7.80, < 9.409.40
SIPROTEC 5 6MD86 (CP300)≥ 7.80, < 9.409.40
SIPROTEC 5 6MD89 (CP300)≥ 7.80, < 9.649.64
SIPROTEC 5 6MU85 (CP300)≥ 7.80, < 9.409.40
SIPROTEC 5 7KE85 (CP300)≥ 7.80, < 9.409.40
Remediation & Mitigation
0/8
Do now
0/1WORKAROUNDRestrict network access to the web service port on SIPROTEC 5 devices using firewall rules to allow only authorized engineering workstations and SCADA systems
Schedule — requires maintenance window
0/6Patching may require device reboot — plan for process interruption
SIPROTEC 5 7SA82 (CP100)
HOTFIXUpdate SIPROTEC 5 7SA82 (CP100) and 7SD82 (CP100) and 7SL82 (CP100) and 7UT82 (CP100) to firmware version 8.90 or later
SIPROTEC 5 7SA82 (CP150)
HOTFIXUpdate SIPROTEC 5 7SA82 (CP150), 7SD82 (CP150), 7SJ81 (CP150), 7SJ82 (CP150), 7SK82 (CP150), 7SL82 (CP150), 7SX82, 7UT82 (CP150), and Compact 7SX800 to firmware version 9.40 or later
SIPROTEC 5 Communication Module ETH-BB-2FO (Rev. 1)
HOTFIXUpdate Communication Module ETH-BB-2FO to firmware version 8.89 or later for Rev. 1 or version 9.40 or later
All products
HOTFIXUpdate SIPROTEC 5 6MD85, 6MD86, 6MU85, 7KE85, 7SA86, 7SA87, 7SD86, 7SD87, 7SJ85, 7SJ86, 7SK85, 7SL86, 7SL87, 7SS85, 7ST86, 7SX85, 7UM85, 7UT85, 7UT86, 7UT87, 7VE85, 7VK87, 7VU85, and Communication Module ETH-BD-2FO to firmware version 9.40 or later
HOTFIXUpdate SIPROTEC 5 6MD89 and 7ST85 to firmware version 9.64 or later
HOTFIXUpdate SIPROTEC 5 7SJ81, 7SJ82, 7SK82, and Communication Module ETH-BA-2EL to firmware version 8.89 or later
Long-term hardening
0/1HARDENINGImplement network segmentation to isolate SIPROTEC 5 protection devices on a dedicated substation network with restricted inbound access from operations centers
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/a33750f7-896f-4604-8b99-a0db12e1b189