Full Report
The RADIUS client implementation of the VxWorks platform in SIPROTEC 5 devices contains a denial of service vulnerability that could be triggered when a specially crafted packet is sent by a RADIUS server. Siemens has released updates for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Denial of Service in SIPROTEC 5 RADIUS Client
## CVE Details
- **CVE ID:** CVE-2022-38767
- **CVSS Score:** 7.5 (High)
- **CWE:** CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')
## Affected Systems
- **Products:** SIPROTEC 5 series devices (including 6MD85, 6MU85, and various other CP300-based modules).
- **Versions:**
- Most models running versions ≥ V7.80.
- Specifically, many CP300-based modules versions < V9.30 and V9.40.
- Some models (like 6MD85/6MU85 CP300) have specific version ranges such as V8.70 < V9.30.
- **Configurations:** Devices utilizing the RADIUS (Remote Authentication Dial-In User Service) client for centralized authentication.
## Vulnerability Description
The vulnerability exists within the RADIUS client implementation of the Wind River VxWorks platform (specifically versions 6.9 and 7) utilized by SIPROTEC 5 devices. When receiving a specially crafted response packet from a RADIUS server during the IP RADIUS access procedure, the device enters an infinite loop. This results in a Denial of Service (DoS) condition, rendering the device's management or protection functions potentially unavailable.
## Exploitation
- **Status:** PoC available (per CVSS Exploit Code Maturity: Functional/P).
- **Complexity:** Low
- **Attack Vector:** Network (The attacker must be able to send packets as, or intercept/spoof, the RADIUS server).
## Impact
- **Confidentiality:** None
- **Integrative:** None
- **Availability:** High (Device functions are disrupted due to a processing loop).
## Remediation
### Patches
Siemens recommends updating affected devices to the following versions or later:
- **V9.30:** Recommended update for the majority of affected SIPROTEC 5 models.
- **V9.40:** Recommended for specific sub-models (refer to the full Siemens device list for exact hardware mapping).
- *Note:* For some specific CP300 variants (e.g., older 6MD85/6MU85), no fix is currently planned, and users must rely on workarounds.
### Workarounds
- **Trusted Server:** Ensure that only trusted, properly hardened RADIUS servers are configured in the environment.
- **Credential Protection:** Protect the RADIUS pre-shared key (PSK) from unauthorized access to prevent spoofing.
- **Network Segmentation:** Use firewalls and VLANs to ensure that only authorized RADIUS traffic can reach the devices.
## Detection
- **Indicators of Compromise:** High CPU utilization or device unresponsiveness immediately following RADIUS authentication attempts.
- **Detection Methods:** Monitor network traffic for malformed RADIUS response packets or unauthorized hosts attempting to act as a RADIUS server. Use Intrusion Detection Systems (IDS) to flag non-standard RADIUS traffic.
## References
- **Siemens Advisory:** hxxps://cert-portal.siemens[.]com/productcert/pdf/ssa-726834.pdf
- **Siemens Support Portal:** hxxps://support.industry.siemens[.]com/cs/ww/en/view/109796884/
- **NVD Entry:** hxxps://nvd.nist[.]gov/vuln/detail/CVE-2022-38767
- **Grid Security Guidelines:** hxxps://www.siemens[.]com/gridsecurity