OTPulse
FeedAboutContact

Weak Encryption Vulnerability in SIPROTEC 5 Devices

Monitor5.9SSA-750499Jul 9, 2024
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary

SIPROTEC 5 protective relays and communication modules implement weak encryption in their communication protocols. This allows an attacker positioned on the network between a client and the affected device to conduct a man-in-the-middle attack and read encrypted data in transit. The vulnerability affects multiple device families including distance relays used for power system protection and associated communication modules. Siemens has released updated firmware versions for most CP100 and CP300 variants but several CP200 module variants have no fix planned and will remain vulnerable.

What this means
What could happen
An attacker positioned on the network path between an engineering workstation and a SIPROTEC 5 relay could intercept and read encrypted communications, potentially exposing operational data, configuration details, or settings being transmitted to the device.
Who's at risk
Organizations operating SIPROTEC 5 protective relays and communication modules for electric power distribution, transmission, and generation systems. Affected devices include distance relays (7SA, 7SD, 7SJ, 7SK, 7SL, 7ST, 7SX, 7UT, 7VE, 7VK, 7VU, 7UM, 6MD, 6MU, 7KE, 7SS, and Compact 7SX800) used for feeder, line, transformer, and generator protection. Communication modules (ETH-BA-2EL, ETH-BB-2FO, ETH-BD-2FO) are also affected.
How it could be exploited
An attacker with network access to the path between a client and the SIPROTEC 5 device (e.g., via ARP spoofing, DNS hijacking, or network tapping on a shared segment) can perform a man-in-the-middle attack to decrypt the weak encryption and read the traffic. This requires the attacker to be positioned on the network but does not require breaking the encryption through brute force.
Prerequisites
  • Network access to the communication path between an engineering workstation and the SIPROTEC 5 device (same network segment or compromised routing infrastructure)
  • No authentication needed; the vulnerability exists in the encryption mechanism itself
Remotely exploitable via network accessNo authentication required for the man-in-the-middle attackLow complexity attackNo patch available for significant number of product variants (CP200 modules and some communication module revisions)Affects critical electrical infrastructure protection systems
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (69)
47 with fix22 pending
ProductAffected VersionsFix Status
SIPROTEC 5 6MD84 (CP300)< 9.649.64
SIPROTEC 5 6MD85 (CP200)All versionsNo fix yet
SIPROTEC 5 6MD85 (CP300)< 9.649.64
SIPROTEC 5 6MD89 (CP300)< 9.649.64
SIPROTEC 5 6MU85 (CP300)< 9.649.64
Remediation & Mitigation
0/10
Schedule — requires maintenance window
0/8

Patching may require device reboot — plan for process interruption

SIPROTEC 5 7SA82 (CP100)
HOTFIXUpdate SIPROTEC 5 7SJ81 (CP100), 7SK82 (CP100), 7SL82 (CP100), 7SA82 (CP100), 7SD82 (CP100), 7UT82 (CP100) to firmware version 8.89 or later
SIPROTEC 5 6MD84 (CP300)
HOTFIXUpdate SIPROTEC 5 7SA82 (CP150), 7SA87 (CP300), 7SD87 (CP300), 7SJ81 (CP150), 7SJ82 (CP150), 7SK82 (CP150), 7SL82 (CP150), 7UT82 (CP150), 7SX82 (CP150) to firmware version 9.65 or later
HOTFIXUpdate SIPROTEC 5 6MD84 (CP300), 6MD85 (CP300), 6MD86 (CP300), 6MD89 (CP300), 6MU85 (CP300), 7KE85 (CP300), 7SA86 (CP300), 7SD86 (CP300), 7SJ85 (CP300), 7SJ86 (CP300), 7SK85 (CP300), 7SL86 (CP300), 7SS85 (CP300), 7ST85 (CP300), 7ST86 (CP300), 7SX85 (CP300), 7UM85 (CP300), 7UT85 (CP300), 7UT86 (CP300), 7UT87 (CP300), 7VE85 (CP300), 7VK87 (CP300), 7VU85 (CP300), Compact 7SX800 (CP050) to firmware version 9.64 or later
HOTFIXUpdate SIPROTEC 5 7SA86 (CP300), 7SA87 (CP300), 7SD86 (CP300), 7SD87 (CP300), 7SJ85 (CP300), 7SJ86 (CP300), 7SK85 (CP300), 7SL86 (CP300), 7SL87 (CP300), 7SX85 (CP300), 7UT85 (CP300), 7UT86 (CP300), 7UT87 (CP300), 7VK87 (CP300) to firmware version 9.65 or later
SIPROTEC 5 7SA82 (CP150)
HOTFIXUpdate SIPROTEC 5 7SA82 (CP150), 7SD82 (CP150), 7SL82 (CP150) to firmware version 9.65 or later
SIPROTEC 5 Communication Module ETH-BA-2EL (Rev.1)
HOTFIXUpdate SIPROTEC 5 Communication Module ETH-BA-2EL (Rev.1) to firmware version 9.62 or later
HOTFIXUpdate SIPROTEC 5 Communication Module ETH-BB-2FO (Rev.1) to firmware version 9.62 or later
SIPROTEC 5 Communication Module ETH-BD-2FO
HOTFIXUpdate SIPROTEC 5 Communication Module ETH-BD-2FO to firmware version 9.62 or later
Long-term hardening
0/2
SIPROTEC 5 6MD85 (CP200)
HARDENINGFor products with all versions affected and no patch available (SIPROTEC 5 models with CP200 modules: 6MD85, 7KE85, 7SA84, 7SA86, 7SA87, 7SD84, 7SD86, 7SD87, 7SJ85, 7SJ86, 7SK85, 7SL86, 7SL87, 7SS85, 7ST85, 7UT85, 7UT86, 7UT87, 7VK87, 6MD86, and Communication Modules), implement network segmentation to restrict access to SIPROTEC 5 devices to authorized engineering workstations only
All products
HARDENINGFor products with no available patch, implement firewall rules and VPN/encrypted tunnels for remote engineering workstation access to SIPROTEC 5 devices
View full Siemens ProductCERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/3a15d590-4637-43d4-a3f8-699bcda296d8
Weak Encryption Vulnerability in SIPROTEC 5 Devices | CVSS 5.9 - OTPulse