OTPulse
FeedAboutContact

Information Disclosure Vulnerability in SIPROTEC 5 Devices

Monitor6.5SSA-439673Jan 11, 2022
Attack VectorAdjacent
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

An information disclosure vulnerability in SIPROTEC 5 protective relays and control devices allows an unauthenticated attacker to read device information. Only devices with hardware variants CP050, CP100, and CP300 are affected. The vulnerability can be identified and remediated using the DIGSI engineering tool and firmware updates.

What this means
What could happen
An attacker could extract sensitive configuration and operational data from affected SIPROTEC 5 relays without authentication, potentially revealing power system protection settings, device state, and network configuration. This could enable reconnaissance for more targeted attacks on critical substation protection schemes.
Who's at risk
Operators of electric utilities and water authorities running SIPROTEC 5 protective relays (distance relays, overcurrent relays, differential protection devices) and control modules used in substations, feeder protection, transformer protection, and generator protection systems. Affects 31 device models across multiple protection functions if running firmware older than V8.83.
How it could be exploited
An attacker with network access to an affected SIPROTEC 5 device (on port 502 Modbus TCP or engineering ports) can send a specially crafted request to read device memory or configuration registers without providing valid credentials. The response contains unencrypted device information that could aid in planning further attacks.
Prerequisites
  • Network access to the affected SIPROTEC 5 device on its communication ports (e.g., port 502 for Modbus TCP or engineering interface)
  • Device running firmware version below V8.83
  • Hardware variant CP050, CP100, or CP300
Remotely exploitableNo authentication requiredInformation disclosure could enable reconnaissanceAffects critical power system protection devicesNo active exploitation reported (EPSS 0.4%)
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (31)
31 with fix
ProductAffected VersionsFix Status
SIPROTEC 5 6MD85 devices (CPU variant CP300)< V8.838.83
SIPROTEC 5 6MD86 devices (CPU variant CP300)< V8.838.83
SIPROTEC 5 6MD89 devices (CPU variant CP300)< V8.838.83
SIPROTEC 5 6MU85 devices (CPU variant CP300)< V8.838.83
SIPROTEC 5 7KE85 devices (CPU variant CP300)< V8.838.83
Remediation & Mitigation
0/4
Do now
0/2
HARDENINGUse DIGSI to identify which of your SIPROTEC 5 devices have the affected CP050, CP100, or CP300 hardware variants
WORKAROUNDRestrict network access to affected SIPROTEC 5 devices using firewall rules or access control lists to allow only authorized engineering workstations and SCADA systems
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all affected SIPROTEC 5 devices to firmware version 8.83 or later using the DIGSI engineering tool or firmware update mechanism
Long-term hardening
0/1
HARDENINGVerify that network segmentation isolates your protective relay network from untrusted networks
View full Siemens ProductCERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/cab8c7cf-dd27-404e-8f47-ad27154245c6
Information Disclosure Vulnerability in SIPROTEC 5 Devices | CVSS 6.5 - OTPulse