Memory Corruption Vulnerability in EN100 Ethernet Module

Plan Patch8.6SSA-693555Jun 14, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The EN100 Ethernet module is affected by a memory corruption vulnerability (CWE-119) that could allow an attacker to crash the module or cause undefined behavior. The vulnerability affects multiple protocol variants: DNP3 IP, IEC 104, IEC 61850, Modbus TCP, and PROFINET IO. Siemens has released a fix for the IEC 61850 variant only; no fixes are available for the other variants.

What this means

What could happen

An attacker could cause the EN100 Ethernet module to crash, interrupting communication between SCADA systems and field devices. This could disrupt real-time monitoring and control of critical infrastructure like water distribution or power delivery.

Who's at risk

Water utilities, electric utilities, and other critical infrastructure operators using Siemens EN100 Ethernet modules for SCADA communication. The DNP3, IEC 104, Modbus TCP, and PROFINET IO variants are at risk since no fixes are available. Operators using the IEC 61850 variant should prioritize patching.

How it could be exploited

An attacker with network access to the EN100 module could send a specially crafted network packet to the module's protocol interface (DNP3, IEC 104, Modbus TCP, or PROFINET IO) to trigger the memory corruption, causing the module to crash and stop forwarding communications.

Prerequisites

Network access to the EN100 module on the protocol port (typically 502 for DNP3, 2404 for IEC 104, 502 for Modbus TCP, or PROFINET IO discovery port)
No authentication required

Remotely exploitableNo authentication requiredLow complexity attackHigh CVSS score (8.6)No patch available for 4 of 5 variantsAffects critical control system communication

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (5)

1 with fix4 EOL

ProductAffected VersionsFix Status

EN100 Ethernet module IEC 61850 variant< V4.374.37

EN100 Ethernet module IEC 104 variantAll versionsNo fix (EOL)

EN100 Ethernet module Modbus TCP variantAll versionsNo fix (EOL)

EN100 Ethernet module PROFINET IO variantAll versionsNo fix (EOL)

EN100 Ethernet module DNP3 IP variantAll versionsNo fix (EOL)

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGFor EN100 variants without fixes (DNP3 IP, IEC 104, Modbus TCP, PROFINET IO), implement network segmentation to restrict access to the EN100 module from untrusted networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

EN100 Ethernet module IEC 61850 variant

HOTFIXUpdate EN100 Ethernet module IEC 61850 variant to version 4.37 or later

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: EN100 Ethernet module IEC 104 variant, EN100 Ethernet module Modbus TCP variant, EN100 Ethernet module PROFINET IO variant, EN100 Ethernet module DNP3 IP variant. Apply the following compensating controls:

HARDENINGMonitor EN100 module for unexpected restarts or communication failures that may indicate exploitation attempts

CVEs (1)

CVE-2022-30937

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/4fd16da0-5a8f-491c-8e04-6d4e2401a147