Buffer Overflow Vulnerability in Third-Party Component in SICAM and SITIPE Products

Plan Patch8.2SSA-673996Sep 10, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple SICAM and SITIPE products are affected by a buffer overflow vulnerability in the IEC 61850 Client library from Triangle MicroWorks. An unauthenticated remote attacker can send specially crafted MMS (Manufacturing Message Specification) messages to trigger the overflow, causing the interface to crash and stop processing IEC 61850 communications. This affects SICAM A8000, SICAM EGS, SICAM S8000, SICAM SCC, and SITIPE AT platforms using ET85 or ETI5 Ethernet interfaces. The vulnerability is in how these interfaces parse IEC 61850 protocol messages when relaying protection and monitoring data from substations.

What this means

What could happen

An attacker could send specially crafted messages to these protection relay and SCADA interfaces, causing them to stop responding and disrupting real-time monitoring or control of critical power system equipment. This could prevent operators from seeing grid conditions or issuing control commands.

Who's at risk

Operators of Siemens SICAM and SITIPE protection relay and SCADA systems using ET85 or ETI5 Ethernet IEC 61850 interfaces should prioritize updates. This affects A8000, EGS, and S8000 device families, as well as SITIPE AT platforms commonly found in substations and generation facilities. The vulnerability impacts any facility using IEC 61850 for real-time protection or monitoring.

How it could be exploited

An attacker on the network sends a specially crafted MMS (Manufacturing Message Specification) message to the IEC 61850 client interface. The message triggers a buffer overflow in the Triangle MicroWorks library that the interface uses to parse IEC 61850 protocol messages, crashing the service and causing denial of service.

Prerequisites

Network access to the IEC 61850 communication port (typically port 102)
Access to the same network segment as the affected interface or a routed path to it
No valid credentials required

remotely exploitableno authentication requiredlow complexity attackaffects real-time monitoring and protection systemsdenial of service impact on critical operations

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

ET85 Ethernet Interface IEC61850 Ed.2< 03.2703.27

ETI5 Ethernet Int. 1x100TX IEC61850< 05.3005.30

SICAM SCCAll versions < V9.14 HF29.14 HF2

SITIPE AT< 3.213.21

Remediation & Mitigation

0/6

Do now

0/1

HARDENINGRestrict network access to IEC 61850 communication ports to only authorized operator workstations and control system networks using firewall or switch ACLs

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

SICAM SCC

HOTFIXUpdate SICAM SCC to version 9.14 HF2 or later

SITIPE AT

HOTFIXUpdate SITIPE AT to version 3.21 or later

All products

HOTFIXUpdate ET85 Ethernet Interface firmware to version 03.27 or later (distributed in CP-8000/CP-8021/CP-8022 Package V16.52 or later)

HOTFIXUpdate ETI5 Ethernet Interface firmware to version 05.30 or later (distributed in CP-8031/CP-8050 Package V5.30 or later)

Long-term hardening

0/1

HARDENINGSegment IEC 61850-enabled devices onto a separate control network isolated from corporate IT and external networks

CVEs (1)

CVE-2024-34057

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7606e446-dd15-4d28-a8c7-506b44d6db7e