Full Report
The SIPROTEC 5 devices are supporting weak encryption. This could allow an unauthorized attacker in a man-in-the-middle position to read any data passed over the connection between legitimate clients and the affected device. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Weak Encryption in Siemens SIPROTEC 5 Devices
## CVE Details
- **CVE ID:** CVE-2024-38867
- **CVSS Score:**
- **v4.0:** 8.2 (High)
- **v3.1:** 5.9 (Medium)
- **CWE:** CWE-326: Inadequate Encryption Strength
## Affected Systems
- **Products:** Siemens SIPROTEC 5 and SIPROTEC 5 Compact devices (Multiple models including CP100 and CP150 architectures).
- **Versions:**
- **CP100 Devices (7SA82, 7SD82, 7SL82, 7UT82):** All versions < V8.90
- **CP100 Devices (7SJ81, 7SJ82, 7SK82):** All versions < V8.89
- **CP150 Devices (7SA82):** All versions < V9.65
- **Configurations:** Devices with web services (443/tcp), DIGSI 5 communication (4443/tcp), or Syslog over TLS enabled.
## Vulnerability Description
Affected SIPROTEC 5 devices support weak cryptographic ciphers on several communication ports. Specifically, the vulnerability resides in the implementation of TLS for the web interface, the DIGSI 5 engineering software connection, and configurable Syslog over TLS channels. Due to the inadequate encryption strength, the confidentiality of the communication channel is undermined.
## Exploitation
- **Status:** Not exploited (No known reports of exploitation in the wild at the time of advisory).
- **Complexity:** High (Requires the attacker to be in a Man-in-the-Middle [MitM] position and possess the capability to decrypt weak cipher suites).
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** High (Attacker can decrypt and read sensitive data passed between the client and the device).
- **Integrity:** None.
- **Availability:** None.
## Remediation
### Patches
Siemens recommends updating to the latest firmware versions:
- **CP100 (7SA82, 7SD82, 7SL82, 7UT82):** Update to V8.90 or later.
- **CP100 (7SJ81, 7SJ82, 7SK82):** Update to V8.89 or later.
- **CP150 (7SA82):** Update to V9.65 or later.
### Workarounds
- **Network Segmentation:** Protect network access with firewalls and VLANs to prevent unauthorized actors from reaching a MitM position.
- **VPN:** Use secure VPN tunnels for any remote access to the devices.
- **Operational Guidelines:** Adhere to Siemens Grid Security principles, including running devices within a protected IT/OT environment.
## Detection
- **Indicators of Compromise:** Unusual encrypted traffic patterns or the presence of unauthorized devices on the management network segment.
- **Detection Methods and Tools:**
- **Vulnerability Scanners:** Use network security scanners to identify the use of weak TLS cipher suites on ports 443 and 4443.
- **Traffic Analysis:** Monitor for Man-in-the-Middle activity or ARP spoofing attempts within the local substation network.
## References
- **Vendor Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/html/ssa-750499[.]html
- **Support Links:**
- hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/109757433/
- hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/109751934/
- **Security Guidelines:** hxxps://www[.]siemens[.]com/gridsecurity