Full Report
DoS vulnerabilities have been identified in Siemens SIPROTEC 5 relays and the EN100 communication module. These vulnerabilities can be exploited by a remote attacker without requiring any privileges or user interaction
Analysis Summary
# Vulnerability: Denial of Service in Siemens SIPROTEC 5 and EN100 Modules
## CVE Details
* **CVE ID:** CVE-2018-11451, CVE-2018-11452
* **CVSS Score:** 7.5 (High)
* **CWE:** CWE-20 (Improper Input Validation), CWE-400 (Uncontrolled Resource Consumption)
## Affected Systems
* **Products:**
* Siemens SIPROTEC 5 Protective Relays (all variants)
* Siemens EN100 Communication Modules (used in SIPROTEC 4, SIPROTEC Compact, and Reyrolle devices)
* **Versions:**
* SIPROTEC 5 firmware versions prior to v7.80
* EN100 Ethernet modules (PROFINET and Modbus TCP variants) prior to v1.04.01
* **Configurations:** Performance of the vulnerability is tied to the processing of specially crafted packets sent to the device via the integrated Ethernet interface or the EN100 module.
## Vulnerability Description
The vulnerability stems from improper handling of specially crafted packets sent to the affected devices at port 102/TCP (ISO-TSAP). An attacker can trigger a firmware exception by sending a sequence of malformed packets. This causes the device to enter a "Defect" mode or restart, leading to a temporary loss of its protective signaling and communication functions.
## Exploitation
* **Status:** Proof-of-Concept (PoC) known; no widespread exploitation in the wild at time of initial reporting.
* **Complexity:** Low
* **Attack Vector:** Network (Remote)
## Impact
* **Confidentiality:** None
* **Integrity:** None
* **Availability:** High (Total loss of protection and monitoring functionality until the device is manually or automatically rebooted).
## Remediation
### Patches
* **SIPROTEC 5:** Upgrade firmware to V7.80 or later.
* **EN100 (PROFINET IO):** Update to firmware version V1.04.01 or later.
* **EN100 (Modbus TCP):** Update to firmware version V1.04.01 or later.
### Workarounds
* **Network Segmentation:** Isolate the substation automation network from the corporate network and the internet.
* **Access Control:** Use firewalls or ACLs to restrict access to Port 102/TCP to only authorized engineering workstations or SCADA masters.
* **Physical Security:** Ensure the devices are located in a physically secure environment to prevent unauthorized local network access.
## Detection
* **Indicators of Compromise:**
* Unexpected device reboots or transitions to "Defect" mode.
* Loss of communication with the relay via DIGSI or SCADA.
* **Detection Methods and Tools:**
* Monitor network traffic for unusual or malformed ISO-on-TCP (Port 102) traffic patterns.
* Use Industrial Intrusion Detection Systems (IIDS) with signatures specifically designed for Siemens S7/SIPROTEC protocol anomalies.
## References
* Siemens Security Advisory (SSA-202417): hxxps[://]cert-portal[.]siemens[.]com/productcert/pdf/ssa-202417[.]pdf
* Kaspersky ICS CERT: hxxps[://]ics-cert[.]kaspersky[.]com/publications/reports/2018/07/17/dos-vulnerabilities-in-siprotec-5-relays-and-en100-communication-module/
* NIST NVD: hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2018-11451