• Restrict access to the networks where RADIUS messages are exchanged (e.g., send RADIUS traffic via management network or a dedicated VLAN)
• Configure the RADIUS server to require the presence of a Message-Authenticator attribute in all Access-Request packets from RADIUS client devices that support it

Product-specific remediations or mitigations can be found in the section Affected Products and Solution.
Please follow the General Security Recommendations.

Operators of critical power systems (e.g. TSOs or DSOs) worldwide are usually required by regulations to build resilience into the power grids by applying multi-level redundant secondary protection schemes. It is therefore recommended that the operators check whether appropriate resilient protection measures are in place. The risk of cyber incidents impacting the grid's reliability can thus be minimized by virtue of the grid design. Siemens strongly recommends applying the provided security updates using the corresponding tooling and documented procedures made available with the product. If supported by the product, an automated means to apply the security updates across multiple product instances may be used. Siemens strongly recommends prior validation of any security update before being applied, and supervision by trained staff of the update process in the target environment. As a general security measure Siemens strongly recommends to protect network access with appropriate mechanisms (e.g. firewalls, segmentation, VPN). It is advised to configure the environment according to our operational guidelines in order to run the devices in a protected IT environment.

Recommended security guidelines can be found at: https://www.siemens.com/gridsecurity

This chapter describes all vulnerabilities (CVE-IDs) addressed in this security advisory. Wherever applicable, it also documents the product-specific impact of the individual vulnerabilities.

Affected software or firmware for several SICAM products are as follows:

• SICAM A8000 Device firmware

  • CPCI85 for CP-8031/CP-8050
  • CPC80 for CP-8000/CP-8021/CP-8022
  • SICORE for CP-8010/CP-8012

• SICAM EGS Device firmware

  • CPCI85

• SICAM S8000

  • SICORE

Description of the Vulnerability

The vulnerability could allow on-path attackers, located between a Network Access Server (the RADIUS client, e.g., SICAM or SIPROTEC 5 devices) and a RADIUS server, to forge Access-Request packets in a way that enables them to modify the corresponding server response packet at will, e.g., turning an "Access-Reject" message into an "Access-Accept". This would cause the Network Access Server to grant the attackers access to the network with the attackers desired authorization (and without the need of knowing or guessing legitimate access credentials).

Successful attacks are demonstrated against RADIUS/UDP (IETF RFC 2865), similar attacks are considered possible against RADIUS/TCP (IETF RFC 6613). RADIUS/TLS (IETF RFC 6614) and RADIUS/DTLS (IETF RFC 7360) are not vulnerable.

Impact to SICAM, SIPROTEC 5 and related Products, Countermeasures

SICAM, SIPROTEC 5 and related devices use RADIUS/UDP for user authentication and are therefore considered vulnerable.

To fix the issue, specific countermeasures are required on both RADIUS client and RADIUS server side. The affected products listed in this advisory can operate as RADIUS clients but not as RADIUS servers. The requirements S1 - S3 listed below are therefore not applicable.

In the context of this advisory, RADIUS clients (i.e., SICAM, SIPROTEC 5 and related devices) need to:

• C1. Ensure that all Access-Request packets they send to the server contain a Message-Authenticator attribute.
• C2. Check all Access-accept, Access-Reject, and Access-Challenge packets coming from a RADIUS server for the presence of a Message-Authenticator attribute (see S1); submit an entry in the client's error log, if the attribute is missing. This supports operators to identify outdated RADIUS servers in their deployment, that haven't yet implemented or configured S1.

RADIUS servers need to:

• S1. Ensure that all replies to Access-Request packets contain a Message-Authenticator attribute as the first attribute in the packet.
• S2. Implement a per-client configuration flag which requires that all Access-Request packets coming from a client must contain a Message-Authenticator attribute.
• S3. If the server is also configured as a proxy (i.e., forwards certain client Access-Requests to another RADIUS server): Ensure that all proxied Access-Request packets contain a Message-Authenticator attribute.

The issue is fully mitigated only, if all recommendations are enforced in all RADIUS clients and servers. However, every individual recommendation decreases the likelihood of a successful attack.

Status

• SIPROTEC 5 devices (except 6MD89 (CP300), 7ST85 (CP300), 7ST86 (CP300)): C1 and C2 are not supported in current firmware versions, but planned to be implemented in a future version.
• SIPROTEC 5 6MD89 (CP300) and 7ST85 (CP300): C1 and C2 are implemented in version V9.68 (but not in complementary version V9.90). Update to V9.68 and enable S1 and S2 on the RADIUS server(s) in your deployment. Check the device's security log for entries containing "RADIUS server response without Message-Authenticator" to determine insecurely configured RADIUS servers.
• SIPROTEC 5 7ST86 (CP300): C1 and C2 are implemented in version V9.83. Update to V9.83 and enable S1 and S2 on the RADIUS server(s) in your deployment. Check the device's security log for entries containing "RADIUS server response without Message-Authenticator" to determine insecurely configured RADIUS servers.
• SICAM GridPass: C1 and C2 are implemented starting with version V2.50.
• SICAM Q100 devices: C1 and C2 are implemented starting with version V2.70. Update to V2.70 and enable S1 and S2 on the RADIUS server(s) in your deployment. Check the device's security log for entries containing "RADIUS server response without Message-Authenticator" to determine insecurely configured RADIUS servers.
• SICAM Q200 devices, Powerlink IP: C1 and C2 are not supported in current firmware versions, but planned to be implemented in a future version.
• CPCI85 for SICAM A8000 CP-8031/CP-8050 or for SICAM EGS: C1 and C2 are not supported in current firmware versions, but planned to be implemented in a future version.
• CPC80 for SICAM A8000 CP-8000/CP-8021/CP-8022: C1 and C2 are not supported in current firmware versions, but planned to be implemented in a future version.
• SICORE for SICAM A8000 CP-8010/CP-8012 or for SICAM S8000: C1 and C2 are not supported in current firmware versions, but planned to be implemented in a future version.

Specific Countermeasures (if the update to a fix version is not yet available or not possible in your deployment)

• SIPROTEC 5 devices, SICAM GridPass: Use LDAP instead of RADIUS for client authentication.
• CPCI85 for SICAM A8000 CP-8031/CP-8050 or for SICAM EGS: Use LDAP instead of RADIUS for client authentication.
• SICORE for SICAM A8000 CP-8010/CP-8012 or for SICAM S8000: Use LDAP instead of RADIUS for client authentication.

More Information

• CERT Coordination Center - "RADIUS protocol susceptible to forgery attacks": https://kb.cert.org/vuls/id/456537
• Research paper and related information - "RADIUS/UDP Considered Harmful": https://www.blastradius.fail/
• IETF Internet-Draft - "Deprecating Insecure Practices in RADIUS": https://datatracker.ietf.org/doc/draft-ietf-radext-deprecating-radius/