Denial of Service Vulnerability in the RADIUS Client of SIPROTEC 5 Devices
Plan Patch7.5SSA-726834Mar 14, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
The RADIUS client implementation in SIPROTEC 5 devices contains a denial of service vulnerability. A specially crafted packet sent by a RADIUS server can trigger an infinite loop (CWE-835), causing the device to become unresponsive. The vulnerable code affects firmware versions 7.80 and later (with specific version ranges per product).
What this means
What could happen
An attacker who controls or compromises a RADIUS authentication server used by your protection relays could send a malicious packet that causes the devices to stop responding, disrupting the availability of critical protection and monitoring functions in your power system.
Who's at risk
This vulnerability affects SIPROTEC 5 protection relays and communication modules used in electrical substations and power distribution systems. Specifically, the 6MD85/6MD86/6MU85, 7KE85, 7SA86/7SA87, 7SD86/7SD87, 7SJ85/7SJ86, 7SK85, 7SL86/7SL87, 7SS85, 7ST85/7ST86, 7SX85/7SX800, 7UM85, 7UT85/7UT86/7UT87, 7VE85, and 7VK87 models are at risk if they use RADIUS authentication. Any electric utility or power systems operator deploying these relays should evaluate their use of RADIUS authentication.
How it could be exploited
An attacker would need to compromise or spoof the RADIUS server that the SIPROTEC 5 devices are configured to authenticate against. Once they can send a specially crafted RADIUS packet to the devices, the malicious packet triggers an infinite loop in the RADIUS client code, causing denial of service. The network must already be configured for RADIUS authentication.
Prerequisites
- RADIUS authentication configured on the SIPROTEC 5 device
- Network access to the device on the port used by the RADIUS client (typically UDP 1812)
- The attacker must be able to impersonate or compromise the RADIUS server (requires network access to the RADIUS server or ability to intercept/redirect RADIUS communication
Remotely exploitableNo authentication required for the RADIUS packet itself (once RADIUS is configured)Low complexity attackRequires attacker to compromise RADIUS server or network positionHigh availability impact to protection systems
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (28)
27 with fix1 EOL
ProductAffected VersionsFix Status
SIPROTEC 5 6MD85 (CP300)≥ V7.80 < V9.309.30
SIPROTEC 5 6MD86 (CP300)≥ V7.80 < V9.309.30
SIPROTEC 5 6MU85 (CP300)≥ V7.90 < V9.309.30
SIPROTEC 5 7KE85 (CP300)≥ V7.80 < V9.309.30
SIPROTEC 5 7SA86 (CP300)≥ V7.80 < V9.309.30
Remediation & Mitigation
0/3
Do now
0/1WORKAROUNDIf RADIUS authentication is not required, disable RADIUS client functionality on the device to eliminate the attack vector
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate all affected SIPROTEC 5 devices to firmware version 9.30 or later
Mitigations - no patch available
0/1SIPROTEC 5 6MD89 (CP300) has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGImplement network segmentation to restrict which servers can send RADIUS packets to your protection relays; restrict RADIUS communication to authorized servers only
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/49ebb3e2-ef89-4f77-94f7-6f06fc817f9a