04 December 2017
Vulnerabilities in Siemens SWT 3000 Devices
Siemens has reported vulnerabilities in the SWT 3000 protection signal transmission system.
SWT 3000 is a telecommunication solution that is popular in the energy sector. It is used in analog, digital and optical communication channels and as part of high-frequency power-line carrier communication equipment.
According to an advisory released by Siemens, vulnerabilities affect EN100 (iSWT 3000) modules with the following firmware versions:
- IEC 61850: all versions prior to V4.29.01
- TPOP firmware: all versions prior to V01.01.00.
A total of five medium-severity vulnerabilities, with CVSS scores from 4.3 to 5.3, were identified.
Two of these are associated with the integrated web server (port 80/tcp) and, if network access is obtained, could allow remote attackers to obtain sensitive device information (CVE-2016-4784) or a limited amount of device memory content (CVE-2016-4785). These vulnerabilities affect the IEC 61850 firmware only and do not affect SWT 3000 devices with TPOP.
Attackers who have obtained network access to the device’s web interface (port 80/tcp) can also circumvent authentication and perform certain administrative operation (CVE-2016-7112 and CVE-2016-7114). Importantly, for an attack exploiting CVE-2016-7114 to be successful, a legitimate user must be logged into the web interface.
Additionally, a denial-of-service (DoS) attack can be carried out by sending specially crafted packets to port 80/tcp in order to exploit the CVE-2016-7113 vulnerability.
To close the above vulnerabilities, Siemens recommends updating device firmware to the following versions: IEC61850 to version V4.29.01, TPOP – to version V01.01.00.