Siemens has published a security advisory on serious vulnerabilities in SICAM RTU SM-2556 COM communication modules. These devices are widespread in the electric power sector across the globe. They are protocol elements for LAN/WAN communication and can be connected to substation controllers based on SICAM 1703 and RTU. The vulnerabilities affect devices with the following firmware versions: ENOS00, ERAC00, ETA2, ETLS00, MODi00 and DNPi00.
The most serious of the vulnerabilities is a critical vulnerability of the integrated GoAhead web server (CVE-2017-12739), which could allow unauthenticated remote attackers to execute arbitrary code. The web server is also prone to cross-site scripting attacks (CVE-2017-12738) and a vulnerability (CVE-2017-12737) that could be used by unauthenticated remote attackers to obtain sensitive device information, such as a list of passwords.
The vulnerabilities were discovered by SEC Consult Vulnerability Lab researchers, who published a Proof-of-Concept to demonstrate them.
Since these devices are no longer supported, Siemens decided not to develop patches. To prevent possible risks, the vendor recommends disabling the web server, which is only used for diagnostics and is not required for normal operation.
In addition, according to Siemens, since there could be vulnerabilities in the SM-2558 COM module, which is the successor to the SM-2556 module, it is recommended that users of these devices update the firmware to the latest versions ETA4, MBSiA0 and DNPiA1.