Memory Corruption Vulnerability in EN100 Ethernet Module

Plan Patch8.6SSA-865333Jul 12, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

EN100 Ethernet module is affected by a memory corruption vulnerability that can be triggered by a malformed network packet sent over Ethernet. The vulnerability affects the DNP3 IP, IEC 104, Modbus TCP, and PROFINET IO variants (all versions have no fix available) and the IEC 61850 variant (versions prior to 4.40). Successful exploitation causes the affected module to crash and become unresponsive, disrupting communication between field devices and the control system. The vulnerability requires no authentication and can be triggered remotely by any device that can reach the module on the network.

What this means

What could happen

An attacker could send a malformed network packet to the EN100 module over Ethernet, causing the device to crash and stop communicating with the control system. For variants without fixes, this denial of service is permanent until manual intervention restarts the module.

Who's at risk

Water authorities and electric utilities using Siemens EN100 Ethernet modules for SCADA communications. These modules are commonly used to bridge legacy serial protocols (DNP3, IEC 104, IEC 61850, Modbus TCP, PROFINET) to modern Ethernet networks. Affects any facility where EN100 modules are deployed for telemetry, control signaling, or protective relay communications.

How it could be exploited

An attacker on the network sends a specially crafted DNP3, IEC 104, Modbus TCP, or PROFINET message to the EN100 module's Ethernet port. The module's packet parsing code does not properly validate buffer boundaries, causing memory corruption. The corrupted memory causes the module to crash and become unresponsive to normal communications.

Prerequisites

Network reachability to the EN100 module's Ethernet port (typically port 502 for DNP3, 2404 for IEC 104, 502 for Modbus TCP, or 34962 for PROFINET)
No credentials required; the malformed packet triggers the vulnerability during normal protocol parsing

Remotely exploitable over EthernetNo authentication requiredLow attack complexity (malformed packet)High availability impact (denial of service)No patch available for 4 of 5 variantsCVSS score 8.6 (high severity)

Exploitability

Moderate exploit probability (EPSS 1.8%)

Affected products (5)

1 with fix4 EOL

ProductAffected VersionsFix Status

EN100 Ethernet module IEC 61850 variant< V4.404.40

EN100 Ethernet module DNP3 IP variantAll versionsNo fix (EOL)

EN100 Ethernet module IEC 104 variantAll versionsNo fix (EOL)

EN100 Ethernet module Modbus TCP variantAll versionsNo fix (EOL)

EN100 Ethernet module PROFINET IO variantAll versionsNo fix (EOL)

Remediation & Mitigation

0/3

Do now

0/1

WORKAROUNDFor EN100 DNP3 IP, IEC 104, Modbus TCP, and PROFINET IO variants with no available fix: restrict network access to the EN100 module using firewall rules to allow only authorized control systems and engineering workstations

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate EN100 IEC 61850 variant to firmware version 4.40 or later

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: EN100 Ethernet module DNP3 IP variant, EN100 Ethernet module IEC 104 variant, EN100 Ethernet module Modbus TCP variant, EN100 Ethernet module PROFINET IO variant. Apply the following compensating controls:

HARDENINGIsolate EN100 modules on a separate industrial network segment with strict ingress/egress rules and no direct connection from corporate networks or the internet

CVEs (1)

CVE-2022-30938

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/19b29033-723c-4189-bbed-f457c4f51250