17 July 2018

DoS vulnerabilities in SIPROTEC 5 relays and EN100 communication module

Siemens has reported two vulnerabilities in the EN100 communication module and SIPROTEC 5 relays. Exploitation of these vulnerabilities could lead to a denial-of-service condition on affected devices’ network functionality and cause these devices to become unavailable by sending specially crafted packets to port 102/tcp.

The problem is caused by vulnerabilities CVE-2018-11451 and CVE-2018-11452. As a precondition for successful exploitation of these vulnerabilities, IEC 61850-MMS communication needs to be activated on affected products or modules. Remote attackers need network access to the device, but no user interaction or privileges are required.

The following Ethernet modules are affected by the above vulnerabilities:

  • EN100 IEC 61850: all versions prior to 4.33;
  • EN100 PROFINET IO: all versions;
  • EN100 Modbus TCP: all versions;
  • EN100 DNP3 TCP: all versions;
  • EN100 IEC 104: all versions.

The following devices are only affected by CVE-2018-11451:

  • SIPROTEC 5 with CP300 and CP100 CPUs (all versions prior to 7.80) and the respective communication modules;
  • All versions of SIPROTEC 5 with CP200 CPUs and the respective communication modules.

The vendor has released firmware updates fixing the above vulnerabilities for some affected devices and continues working on patches for the remaining devices. As a mitigation measure, the vendor recommends blocking access to port 102/tcp on vulnerable devices with an external firewall.

Source: Siemens