Full Report
Multiple SICAM products are affected by buffer overflow vulnerability in the IEC 61850 Client libraries from Triangle MicroWorks that could allow an unauthenticated remote attacker to create a denial of service condition by sending specially crafted MMS messages. Affected SICAM and SITIPE products: SICAM A8000 Device firmware ET85 for CP-8000/CP-8021/CP-8022 ETI5 for CP-8031/CP-8050 SICAM EGS Device firmware ETI5 SICAM S8000 ETI5 SICAM SCC SITIPE AT Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Buffer Overflow in Triangle MicroWorks IEC 61850 Client Libraries Affecting SICAM/SITIPE
## CVE Details
- CVE ID: CVE-2024-34057
- CVSS Score: 8.2 (High)
- CWE: CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
## Affected Systems
- Products:
- SICAM A8000 Device firmware (specifically ET85 for CP-8000/CP-8021/CP-8022)
- SICAM EGS Device firmware (ETI5)
- SICAM S8000 (ETI5)
- SICAM SCC
- SITIPE AT
- Versions:
- ET85 (for CP-8000/CP-8021/CP-8022): All versions < V03.27
- ETI5 (for CP-8031/CP-8050, SICAM EGS, SICAM S8000): All versions < V05.30 (Note: The advisory lists ETI5 across multiple product lines, V05.30 is specified for CP-8031/CP-8050)
- SICAM SCC: All versions < V9.14 HF2
- SITIPE AT: All versions < V3.21
- Configurations: Affected systems utilize the vulnerable Triangle MicroWorks IEC 61850 Client source code libraries (prior to version 12.2.0).
## Vulnerability Description
The vulnerability is a buffer overflow flaw residing in the third-party Triangle MicroWorks TMW IEC 61850 Client source code libraries (prior to version 12.2.0). The weakness lies in the lack of a buffer size check when processing received messages (MMS messages). An unauthenticated remote attacker can leverage this by sending specially crafted MMS messages, leading to a buffer overflow.
## Exploitation
- Status: PoC available (Implied by the nature of the finding and severity, though not explicitly stated as exploited in the wild; researcher credit suggests active analysis.)
- Complexity: Low (Unauthenticated, Network accessible, Low complexity vector: AC:L, PR:N)
- Attack Vector: Network
## Impact
The primary impact detailed is Denial of Service (DoS).
- Confidentiality: No Impact (N)
- Integrity: Low Impact (L) - The ability to cause a crash suggests potential integrity implications, though DoS is the primary outcome.
- Availability: High Impact (H) - Causing a crash leads directly to a denial of service condition.
## Remediation
### Patches
Siemens strongly recommends updating to the following versions or later:
- **ET85 Ethernet Interface IEC61850 Ed.2:** Update to **V03.27** or later. (V3.27 is present in "CP-8000/CP-8021/CP-8022 Package" V16.52).
- **ETI5 Ethernet Int. 1x100TX IEC61850 (for CP-8031/CP-8050):** Update to **V05.30** or later. (V5.30 is present in "CP-8031/CP-8050 Package" V5.30).
- **SICAM SCC:** Update to **V9.14 HF2** or later.
- **SITIPE AT:** Update to **V3.21** or later.
### Workarounds
- Apply general security recommendations: Protect network access using appropriate mechanisms such as firewalls, segmentation, and VPNs.
- Configure the environment according to Siemens operational guidelines to run devices in a protected IT environment.
- For critical power systems, ensure multi-level redundant secondary protection schemes are in place to build resilience against cyber incidents.
## Detection
- Indicators of compromise (IOCs) associated with this particular vulnerability would involve monitoring the target devices for unexpected crashes or service restarts corresponding to incoming IEC 61850/MMS traffic.
- Detection methods should focus on network monitoring for unusual or malformed MMS messages directed at the vulnerable services. Network segmentation helps limit exposure.
## References
- Vendor Advisory: SSA-673996 (Siemens)
- Siemens General Security Guidelines: hxxps://www.siemens.com/gridsecurity
- Siemens ProductCERT Advisories: hxxps://www.siemens.com/cert/advisories