Denial of Service Vulnerability in SIPROTEC 5 Devices

Monitor5.3SSA-552874Dec 13, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SIPROTEC 5 devices contain a vulnerability related to secure client-initiated renegotiation that allows an unauthenticated attacker to cause a denial of service condition. The devices affected span multiple protection relay models (6MD, 6MU, 7KE, 7SA, 7SD, 7SJ, 7SK, 7SL, 7SS, 7ST, 7SX, 7SU, 7UT, 7UM, 7VE, 7VK, 7VU, 7SM, 7SX series) with various communication processor versions (CP050, CP100, CP150, CP200, CP300), as well as SIPROTEC 5 Communication Modules (ETH-BA-2EL, ETH-BB-2FO, ETH-BD-2FO) and the SIPROTEC 5 Compact 7SX800. Fixes are available for many models, but numerous variants with CP200 modules have no fix available.

What this means

What could happen

An attacker can remotely disable a SIPROTEC 5 relay by flooding it with repeated connection requests, preventing the device from processing legitimate protection logic or management commands until the attack stops. This could leave critical power distribution equipment unprotected during the outage.

Who's at risk

Electric utilities and power distribution operators who rely on SIPROTEC 5 relays for protection and control of substations, distribution feeders, and transmission lines. The vulnerability affects virtually all SIPROTEC 5 protection relay models across multiple protection functions (distance, overcurrent, transformer differential, bus differential, line differential, metering). Particular risk for operators with older CP200 (communication processor) variants that have no fix available.

How it could be exploited

An attacker with network access to a SIPROTEC 5 device sends specially crafted secure client renegotiation requests to the device's communication port. The device cannot properly handle the renegotiation process, consuming resources and becoming unresponsive to legitimate traffic until the attack ceases.

Prerequisites

Network access to the SIPROTEC 5 device communication port (typically port 502 for Modbus/TCP or proprietary Siemens protocol ports)
No authentication required to initiate the malicious renegotiation requests

Remotely exploitableNo authentication requiredLow complexity attackAffects critical protection equipmentNo patch available for CP200 variantsWide range of affected products

Exploitability

Low exploit probability (EPSS 0.6%)

Affected products (69)

47 with fix22 pending

ProductAffected VersionsFix Status

SIPROTEC 5 6MD84 (CP300)< 9.509.50

SIPROTEC 5 6MD85 (CP200)All versionsNo fix yet

SIPROTEC 5 6MD85 (CP300)< 9.509.50

SIPROTEC 5 6MD86 (CP200)All versionsNo fix yet

SIPROTEC 5 6MD86 (CP300)< 9.509.50

Remediation & Mitigation

0/4

Do now

0/2

SIPROTEC 5 6MD85 (CP200)

HARDENINGFor SIPROTEC 5 devices with CP200 processors where no fix is available, implement network segmentation to restrict access to relay communication ports only from authorized engineering workstations and SCADA systems

All products

HARDENINGImplement firewall rules or access control lists on the network perimeter to restrict inbound connections to SIPROTEC 5 devices from outside the control system network

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

SIPROTEC 5 6MD84 (CP300)

HOTFIXUpgrade SIPROTEC 5 devices with CP300, CP150, and CP100 processors to the patched firmware versions (9.50, 9.64, 8.90, or 8.89 depending on model)

Long-term hardening

0/1

WORKAROUNDMonitor SIPROTEC 5 relay logs for repeated failed client renegotiation attempts, which may indicate an active denial of service attack

CVEs (1)

CVE-2022-45044

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/392c0ae3-60f9-416e-8642-d979c0791ddd