Multiple Vulnerabilities (INFRA:HALT) in Interniche IP-Stack based Low Voltage Devices

Plan PatchCVSS 7.5SSA-789208Aug 4, 2021

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Four vulnerabilities in the Interniche IP stack affect Siemens low-voltage power measurement and distribution devices. These are input validation (CWE-20) and weak random number generation (CWE-330) flaws in the network stack. Affected devices include SENTRON 7KM PAC Switched Ethernet PROFINET Expansion Module (all versions affected, some versions patched), SENTRON 3WA COM190, and SENTRON 3WL COM35. The vulnerabilities could allow remote attackers to cause device malfunction or denial of service without authentication.

What this means

What could happen

An attacker with network access could inject malformed packets into these power measurement and distribution devices, causing them to malfunction, go offline, or stop reporting accurate voltage and load data to your monitoring systems.

Who's at risk

Power utilities and industrial facilities using Siemens SENTRON low-voltage power measurement and distribution devices. Specifically affects: SENTRON 7KM PAC Switched Ethernet PROFINET Expansion Module (power analyzer/energy manager), SENTRON 3WA COM190 (motor control center communicator), and SENTRON 3WL COM35 (air circuit breaker communicator). If your facility monitors or manages electrical loads through these devices, you are affected.

How it could be exploited

An attacker on the network sends specially crafted packets targeting the Interniche IP stack on the device. The flaw is in how the stack validates input (CWE-20: improper input validation), allowing the attacker to bypass authentication or trigger unexpected behavior without needing valid credentials. The device is directly reachable from the network via PROFINET or Ethernet.

Prerequisites

Network reachability to the device on Ethernet/PROFINET
No valid credentials required
Device must be running an affected firmware version

Remotely exploitableNo authentication requiredLow complexity attackNetwork-accessible deviceAffects power distribution visibilityOne product version has no patch available

Exploitability

Unlikely to be exploited — EPSS score 0.7%

Affected products (5)

5 with fix

ProductAffected VersionsFix Status

SENTRON 7KM PAC Switched Ethernet PROFINET Expansion Module< V2.1.62.1.6

SENTRON 7KM PAC Switched Ethernet PROFINET Expansion Module< V3.0.43.0.4

SENTRON 3WA COM190< V2.0.02.0.0

SENTRON 3WL COM35< V1.2.01.2.0

SENTRON 7KM PAC Switched Ethernet PROFINET Expansion ModuleAll versions2.1.6, 3.0.4

Remediation & Mitigation

0/6

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

SENTRON 3WA COM190

HOTFIXUpdate SENTRON 3WA COM190 to firmware v2.0.0 or later

SENTRON 3WL COM35

HOTFIXUpdate SENTRON 3WL COM35 to firmware v1.2.0 or later

All products

HOTFIXUpdate SENTRON 7KM PAC to firmware v2.1.6 or later

HOTFIXUpdate SENTRON 7KM PAC to firmware v3.0.4 or later

Long-term hardening

0/2

HARDENINGImplement network segmentation to restrict direct Ethernet/PROFINET access to these devices from untrusted networks

HARDENINGDeploy firewall rules to limit inbound traffic to these devices to only authorized management and monitoring stations

CVEs (4)

CVE-2020-35683 CVE-2020-35684 CVE-2020-35685 CVE-2021-31401

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e0d716d1-0c9e-40bc-b619-fdd38681eb2d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.