Full Report
SIPROTEC 5 devices contain a null pointer dereference vulnerability in the web service. This could allow an attacker to send unauthenticated maliciously crafted http request that could cause denial of service condition of the device. Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Denial of Service in SIPROTEC 5 Web Service via Null Pointer Dereference
## CVE Details
- CVE ID: CVE-2023-28766
- CVSS Score: 7.5 (High)
- CWE: CWE-476: NULL Pointer Dereference
## Affected Systems
- Products: SIPROTEC 5 devices, specifically:
- SIPROTEC 5 - CP100 Devices (e.g., 7SA82, 7SD82, 7SL82, 7UT82)
- SIPROTEC 5 Communication Modules (ETH-BA-2EL Rev.1, ETH-BB-2FO Rev. 1, ETH-BD-2FO) installed on CP100, CP150, or CP300 devices.
- SIPROTEC 5 Compact 7SX800 (CP050)
- Other identified products (e.g., 6MD89 (CP300), 7ST85 (CP300)).
- Versions: Specific vulnerable versions are noted as "All versions < [Patch Version]" for each product line. *Note: A comprehensive mapping is detailed in the vendor advisory.*
- Configurations: Vulnerability resides in the hosted web service.
## Vulnerability Description
The affected devices contain a flaw related to improper validation of HTTP request parameters within their integrated web service. This lack of validation allows an unauthenticated, remote attacker to send specially crafted HTTP requests that trigger a NULL Pointer Dereference. Successful exploitation leads to a Denial of Service (DoS) condition, crashing the target device.
## Exploitation
- Status: PoC available (Implied by the nature of the vulnerability report and CVSS Environmental Score components indicating exploitability, though not explicitly stated as In The Wild).
- Complexity: Low (AV:N/AC:L/PR:N/UI:N suggests network-accessible, low configuration effort, no privileges required, no user interaction).
- Attack Vector: Network
## Impact
- Confidentiality: No impact (N)
- Integrity: No impact (N)
- Availability: High impact (H)
## Remediation
### Patches
Siemens recommends updating to the latest permanent versions. Specific minimum fixed versions depend on the affected component:
- **SIPROTEC 5 7SA82 (CP100), 7SD82 (CP100), 7SL82 (CP100), 7UT82 (CP100):** Update to V9.40 or later (Note: Fixes were added in V1.5 of the advisory, 2025-11-11).
- **SIPROTEC 5 Communication Modules (ETH-BA-2EL, ETH-BB-2FO) on CP150/CP300:** Update to V9.40 or later.
- **SIPROTEC 5 Communication Module ETH-BA-2EL (Rev.1) on CP100:** Update to V8.89 or later V8.xx version.
- **SIPROTEC 5 Compact 7SX800 (CP050):** Update to V9.40 or later.
### Workarounds
The vendor advisory points to a section for "Workarounds and Mitigations" which likely includes network segmentation or disabling the vulnerable web service interface if possible. (Specific workarounds are not detailed in this summary scope but must be reviewed in the full advisory.)
## Detection
- Indicators of compromise: Device instability, unexpected reboots, or service interruption of the SIPROTEC 5 device.
- Detection methods and tools: Network monitoring tools looking for unusual or malformed HTTP requests directed at the web interface of the SIPROTEC 5 devices.
## References
- Vendor Advisories: SSA-322980
- Relevant links:
- hxxps://www.siemens.com/cert/advisories
- Siemens support links specific to patch versions (e.g., hxxps://support.industry.siemens.com/cs/ww/en/view/109800399/)