Full Report
SIPROTEC 4 7SJ66 devices are affected by multiple security vulnerabilities due to the underlying Wind River VxWorks network stack. This stack is affected by nine of the eleven vulnerabilities that are also known as “URGENT/11”. The vulnerabilities could allow an attacker to execute a variety of exploits for the purpose of denial of service (DoS), data extraction, remote code execution, etc. targeting availability, integrity and confidentiality of the devices and data. Siemens has released a new version for SIPROTEC 4 7SJ66 and recommends to update to the latest version.
Analysis Summary
# Vulnerability: URGENT/11 TCP/IP Stack Flaws in SIPROTEC 4 7SJ66
## CVE Details
This advisory covers nine specific CVEs originating from the Wind River VxWorks IPNET stack:
- **CVE-2019-12255, CVE-2019-12256, CVE-2019-12262**: CVSS 9.8 (Critical)
- **CVE-2019-12263**: CVSS 8.1 (High)
- **CVE-2019-12258, CVE-2019-12259**: CVSS 7.5 (High)
- **CVE-2019-12260, CVE-2019-12261**: CVSS 9.8 (Critical) *[Note: Derived from standard URGENT/11 grouping for this stack]*
- **CVE-2019-12265**: CVSS 5.3 (Medium)
- **CWEs**: CWE-120 (Buffer Overflow), CWE-384 (Session Fixation), CWE-476 (NULL Pointer Dereference), CWE-346 (Origin Validation Error), CWE-362 (Race Condition), CWE-401 (Memory Leak).
## Affected Systems
- **Products**: SIPROTEC 4 7SJ66 (Protection and Control devices)
- **Versions**: All versions prior to V4.41
- **Configurations**: Devices with network access enabled via the integrated Ethernet interface or expansion modules using the affected VxWorks TCP/IP stack.
## Vulnerability Description
The vulnerabilities, collectively known as **"URGENT/11,"** reside in the IPNET networking stack of the VxWorks Real-Time Operating System (RTOS). In SIPROTEC 4 7SJ66 devices, these flaws manifest in several ways:
1. **Memory Corruption**: Integer underflows and stack overflows during the parsing of IPv4 options and TCP Urgent Pointer fields.
2. **Logical Errors**: Improper handling of unsolicited Reverse ARP (RARP) replies and TCP option malformation.
3. **Resource Management**: NULL pointer dereferences in IGMPv3 parsing and memory leaks in membership reports.
These flaws allow attackers to bypass security controls by sending specially crafted packets to the device.
## Exploitation
- **Status**: PoC available (widely documented since 2019 for the URGENT/11 suite).
- **Complexity**: Low (for most flaws); Medium (for race conditions/state confusion).
- **Attack Vector**: Network (Can be exploited remotely over the network without user interaction).
## Impact
- **Confidentiality**: High (Data extraction and memory leaks possible).
- **Integrity**: High (Remote Code Execution [RCE] potential allows for unauthorized device modification).
- **Availability**: High (Denial of Service [DoS] through system crashes or session hijacking).
## Remediation
### Patches
- **SIPROTEC 4 7SJ66**: Update to **V4.41** or later.
- Firmware download: [https://support.industry.siemens.com/cs/ww/en/view/109743555/](https://support.industry.siemens.com/cs/ww/en/view/109743555/)
### Workarounds
- **Network Segmentation**: Isolate affected devices from the corporate network and the internet.
- **Firewall Filtering**: Block unused protocols (e.g., IGMP, RARP) and inspect TCP traffic for malformed options at the network perimeter.
- **VLANs/VPNs**: Ensure all management access occurs via secure, encrypted tunnels.
## Detection
- **Indicators of Compromise**: Unexpected device reboots, loss of communication with the SCADA/HMI, or unusual IGMP/RARP traffic volumes.
- **Detection methods**: Use Intrusion Detection Systems (IDS) with signatures specifically designed for URGENT/11 (many vendors provide rules for CVE-2019-12255 through 12265).
## References
- Siemens Advisory: [https://cert-portal.siemens.com/productcert/pdf/ssa-617233.pdf](https://cert-portal.siemens.com/productcert/pdf/ssa-617233.pdf)
- Wind River Security: [https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-12255](https://support2.windriver.com/index.php?page=cve&on=view&id=CVE-2019-12255)
- Siemens Grid Security: [https://www.siemens.com/gridsecurity](https://www.siemens.com/gridsecurity)