Full Report
A vulnerability in the third party component SISCO MMS-EASE could allow attackers to cause a denial of service condition with SIPROTEC 5 devices. Siemens has released updates for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Denial of Service via SISCO MMS-EASE in SIPROTEC 5 Devices
## CVE Details
- CVE ID: CVE-2015-6574
- CVSS Score: 7.5 (High)
- CWE: CWE-770: Allocation of Resources Without Limits or Throttling
## Affected Systems
- Products: SIPROTEC 5 Devices utilizing the SISCO MMS-EASE component, specifically models: 6MD85 (CP200/CP300), 6MD86 (CP200/CP300), 6MD89 (CP300), 7KE85 (CP200/CP300), 7SA82 (CP100), 7SA84 (CP200), 7SA86 (CP200/CP300), 7SA87 (CP200), and 7ST85 (CP200).
- Versions: All versions prior to the specified fix versions (V7.58 or V7.80, depending on the specific product/CP version).
- Configurations: Vulnerable via remote network access.
## Vulnerability Description
A vulnerability exists within the third-party component SISCO MMS-EASE used in affected Siemens SIPROTEC 5 devices. A remote attacker can exploit this flaw by sending a crafted packet, leading to a Denial of Service (DoS) condition characterized by excessive CPU consumption on the target device.
## Exploitation
- Status: Exploitation status is not explicitly detailed, but the CVSS vector suggests known exploitability characteristics (E:P - Proof of Concept exists).
- Complexity: Low (AC:L)
- Attack Vector: Network (AV:N)
## Impact
- Confidentiality: No impact (C:N)
- Integrity: No impact (I:N)
- Availability: High impact (A:H) - Denial of Service condition (CPU consumption).
## Remediation
### Patches
Users must update to the recommended versions to patch the vulnerability:
* **Update to V7.58 or later:** For SIPROTEC 5 6MD85 (CP200/CP300), 6MD86 (CP200/CP300), 7SA82 (CP100), 7SA84 (CP200), 7SA86 (CP200/CP300), 7SA87 (CP200), and 7ST85 (CP200).
* **Update to V7.80 or later:** For SIPROTEC 5 6MD89 (CP300) and 7KE85 (CP200/CP300).
**Note:** Refer to the specific Siemens support links provided in the advisory for exact downloads.
### Workarounds
The advisory references a "Workarounds and Mitigations" section within the full advisory for temporary measures; these typically involve network segmentation or input filtering, but specific technical details are not provided in this summary context.
## Detection
- Indicators of compromise: Excessive CPU utilization observed on the affected SIPROTEC 5 controllers correlating with external network traffic.
- Detection methods and tools: Monitoring network traffic targeted at the SISCO MMS-EASE service implementation for malformed or unexpected packets. Analyzing device performance logs for sustained high CPU load.
## References
- Vendor Advisories:
- SSA-223771 (Siemens ProductCERT)
- Relevant links:
- hxxps://cert-portal.siemens.com/productcert/html/ssa-223771.html