-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 # SSA-323211: Vulnerabilities in SIPROTEC 4 and SIPROTEC Compact Devices Publication Date: 2017-07-04 Last Update: 2018-06-12 Current Version: 1.8 CVSS v3.0 Base Score: 8.6 SUMMARY ======= SIPROTEC 4 and SIPROTEC Compact devices are affected by several vulnerabilities. Two of the vulnerabilities could allow attackers to perform a denial-of-service attack under certain conditions. Siemens has released updates for the affected products and will update this advisory when new information becomes available. AFFECTED PRODUCTS AND SOLUTION ============================== * Firmware variant PROFINET IO for EN100 Ethernet module - Affected versions: All versions < V1.04.01 - Remediation: Install V1.04.01 - Download: https://support.industry.siemens.com/cs/us/en/view/109745821 * Firmware variant Modbus TCP for EN100 Ethernet module - Affected versions: All versions < V1.11.00 - Remediation: Install V1.11.00 - Download: https://support.industry.siemens.com/cs/us/en/view/109745821 * Firmware variant DNP3 TCP for EN100 Ethernet module - Affected versions: All versions < V1.03 - Remediation: Install V1.03 - Download: https://support.industry.siemens.com/cs/us/en/view/109745821 * Firmware variant IEC 104 for EN100 Ethernet module - Affected versions: All versions < V1.21 - Remediation: Install V1.21 - Download: https://support.industry.siemens.com/cs/us/en/view/109745821 * EN100 Ethernet module included in SIPROTEC Merging Unit 6MU80 - Affected versions: All versions < 1.02.02 - Remediation: Install V1.02.02 - Download: Please contact the Siemens hotline at support.energy@siemens.com * SIPROTEC 7SJ686 - Affected versions: All versions < V 4.83 - Affected by vulnerabilities: - CVE-2016-4784 - Remediation: Install V 4.83 - Download: http://www.siemensenergysector.com/ProductRelatedDown.aspx?ProductId=51 * SIPROTEC 7SJ686 - Affected versions: All versions < V 4.87 - Affected by vulnerabilities: - CVE-2016-7114 - Remediation: Install V 4.87 - Download: http://www.siemensenergysector.com/ProductRelatedDown.aspx?ProductId=51 * SIPROTEC 7UT686 - Affected versions: All versions < V 4.01 - Affected by vulnerabilities: - CVE-2016-4784 - Remediation: Install V 4.01 - Download: http://www.siemensenergysector.com/ProductRelatedDown.aspx?ProductId=68 * SIPROTEC 7UT686 - Affected versions: All versions < V 4.02 - Affected by vulnerabilities: - CVE-2016-7114 - Remediation: Install V4.02 - Download: http://www.siemensenergysector.com/ProductRelatedDown.aspx?ProductId=68 * SIPROTEC 7SD686 - Affected versions: All versions < V 4.03 - Affected by vulnerabilities: - CVE-2016-4784 - Remediation: Install V 4.03 - Download: http://www.siemensenergysector.com/ProductRelatedDown.aspx?ProductId=64 * SIPROTEC 7SD686 - Affected versions: All versions < V 4.05 - Affected by vulnerabilities: - CVE-2016-7114 - Remediation: Install V4.05 - Download: http://www.siemensenergysector.com/ProductRelatedDown.aspx?ProductId=64 * SIPROTEC 7SJ66 - Affected versions: All versions < V 4.20 - Affected by vulnerabilities: - CVE-2016-4784 - Remediation: Install V 4.20 - Download: https://support.industry.siemens.com/cs/gb/en/view/109743555 * SIPROTEC 7SJ66 - Affected versions: All versions < V 4.30 - Affected by vulnerabilities: - CVE-2016-7114 - Remediation: Install V 4.30 - Download: https://support.industry.siemens.com/cs/us/en/view/109743555 WORKAROUNDS AND MITIGATIONS =========================== Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk: * Apply secure substation concept and Defense-in-Depth (see https://www.siemens.com/gridsecurity) * Restrict network access to port 80/TCP and port 50000/UDP GENERAL SECURITY RECOMMENDATIONS ================================ As a general security measure Siemens strongly recommends to protect network access with appropriate mechanisms (e.g. firewalls, segmentation, VPN). It is advised to configure the environment according to our operational guidelines in order to run the devices in a protected IT environment. Recommended security guidelines to Secure Substations can be found at: https://www.siemens.com/gridsecurity PRODUCT DESCRIPTION =================== SIPROTEC 4 and SIPROTEC Compact devices provide a wide range of integrated protection, control, measurement, and automation functions for electrical substations and other fields of application. The EN100 Ethernet modules are used for enabling process communication on either IEC 61850, PROFINET IO, Modbus TCP, DNP3 TCP or IEC 104 protocols via electrical/optical 100 Mbit interfaces on SIPROTEC 4, SIPROTEC Compact and Reyrolle devices. SIPROTEC Merging Unit 6MU80 devices allows conversion of current substations to process bus substations based on IEC 61850-9-2 and IEC 61850-8-1 GOOSE without changing the primary equipment. VULNERABILITY CLASSIFICATION ============================ The vulnerability classification has been performed by using the CVSS scoring system in version 3.0 (CVSS v3.0) (https://www.first.org/cvss/). The CVSS environmental score is specific to the customer's environment and will impact the overall CVSS score. The environmental score should therefore be individually defined by the customer to accomplish final scoring. * Vulnerability CVE-2015-5374 Specially crafted packets sent to port 50000/UDP could cause a denial-of-service of the affected device. A manual reboot may be required to recover the service of the device. CVSS v3.0 Base Score: 8.6 CVSS v3.0 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:H/RL:O/RC:C * Vulnerability CVE-2016-4784 The integrated web server (port 80/tcp) of the affected devices could allow remote attackers to obtain sensitive device information if network access was obtained. CVSS v3.0 Base Score: 5.3 CVSS v3.0 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C * Vulnerability CVE-2016-4785 The integrated web server (port 80/tcp) of the affected devices could allow remoteattackers to obtain a limited amount of device memory content if network access was obtained. This vulnerability only affects EN100 Ethernet module included in SIPROTEC4 and SIPROTEC Compact devices. CVSS v3.0 Base Score: 5.3 CVSS v3.0 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C * Vulnerability CVE-2016-7112 Attackers with network access to the device's web interface (port 80/tcp) could possibly circumvent authentication and perform certain administrative operations. CVSS v3.0 Base Score: 5.3 CVSS v3.0 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C * Vulnerability CVE-2016-7113 Specially crafted packets sent to port 80/tcp could cause the affected device to go into defect mode. CVSS v3.0 Base Score: 5.3 CVSS v3.0 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C * Vulnerability CVE-2016-7114 Attackers with network access to the device's web interface (port 80/tcp) could possibly circumvent authentication and perform certain administrative operations. A legitimate user must be logged into the web interface for the attack to be successful. CVSS v3.0 Base Score: 4.3 CVSS v3.0 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C ADDITIONAL INFORMATION ====================== For further inquiries on vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories HISTORY DATA ============ V1.0 (2017-07-04): Publication Date V1.1 (2017-07-18): Added update for DNP3 TCP V1.2 (2017-07-25): Added update for IEC 104 V1.3 (2017-09-07): Added update for Modbus TCP V1.4 (2017-10-09): Corrected "Affected Products" and added update for SIPROTEC 7SJ686 V1.5 (2017-11-30): Added update for 7SD686 V1.6 (2017-12-22): Added update for 7UT686 V1.7 (2018-03-15): Added update for 7SJ66 V1.8 (2018-06-12): Clarified update for 7SJ686 TERMS OF USE ============ Siemens Security Advisories are subject to the terms and conditions contained in Siemens' underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter "License Terms"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens' Global Website (https://www.siemens.com/terms_of_use, hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use. -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJbHw0AAAoJELtnleqOVdUuCuwQAKiH4ibH/yxqni7BtZm+pEuT B4udF3V7ET7btt65LBva9DVKKsZtTAQFNHu/HyWThwoXCpop+QnSGg8XTHa01pOC aSh6eiF4CxIG+Opo6pA+zibj/VdpskvPVGGzx4qKxC1s/QLBDVmWk9idVxN0S9mB fR3FuRquHMwU4Vv0RJ7rNOzDRG40OILRcmP2xNE3Jcd4FrekpbPJcyDKvQxIppxm DArsS2kPaGNtb7FWEm/PN4g4QfHxYm2er8/zSGrPkN62t2vCpVQKU8aJW9zXdXku H0pC132+lZzX9eRmz/o58fcRJMq3bpECwIPv0mQIPf2m87trv2nglduADWObci6d ArPsFlvVKQHmNdzm66gWlj08Om3zM8q78yzm9oXerllr1bTNSIyzb+4c9BsrzGc0 qsioi7A5ZsJ3T4K36LTrP2/LPls7Yj8d1MQ9u0Gn+pdlt7DNQT5VrQDj3EsY2YVf Ojjq5sdxXg+vYrWg74No7WHt2LVYTczq68GWfpYEH4HVlgl0NGJvOz2V9iL1IJ6w fFUTvn6gflRnougmlR7K49U9uvZAXoJgq8BOxb04MWgiwNY54HixkCys5drecEvZ 9q+K3w4kFXry6P1hYLZA+YsJvWOG+XS93T3XDtpNfWmCZWRMxEr66q5MB0UUYfc5 4O03H5NKcx4VS45rqo3Q =zR8t -----END PGP SIGNATURE-----