Full Report
An information disclosure vulnerability in SIPROTEC 5 devices could allow an unauthenticated, remote attacker to retrieve sensitive information of the device. Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Information Disclosure in Siemens SIPROTEC 5 Devices
## CVE Details
- **CVE ID:** CVE-2024-54015
- **CVSS Score:** 7.5 (High) via CVSS v3.1 / 8.7 (High) via CVSS v4.0
- **CWE:** CWE-1392 (Use of Default Credentials)
## Affected Systems
- **Products:**
- SIPROTEC 5 CP150 Devices
- SIPROTEC 5 CP300 Devices (including 7SA82, 7ST85, 6MD89, 7ST86, 7KE85)
- **Versions:**
- Versions >= V8.80 and < V9.90
- Parallel version lines (e.g., V9.50, V9.6x, V9.8x) are also affected unless specifically patched.
- **Configurations:** Devices with SNMP service enabled and port 161/udp accessible.
## Vulnerability Description
Affected Siemens SIPROTEC 5 devices fail to properly validate SNMP GET requests. Specifically, the flaw allows an attacker to utilize SNMPv2 GET requests with default credentials to bypass expected access controls. Because the device does not sufficiently restrict these requests, a remote actor can query the Simple Network Management Protocol (SNMP) interface to extract sensitive configuration and operational data.
## Exploitation
- **Status:** Not reported as exploited in the wild; no public PoC provided in advisory.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Sensitive device information disclosure)
- **Integrity:** None
- **Availability:** None
## Remediation
### Patches
Siemens recommends updating affected products to the following versions (or later):
- **Primary Fix:** Update to **V9.90** or later.
- **Parallel Version Lines:**
- For V9.6x line: Update to **V9.68**.
- For V9.8x line: Update to **V9.83**.
- **Note:** Communication module firmware versions must match the device firmware versions (e.g., Device V9.9x requires Module V9.9x).
### Workarounds
- **Disable SNMP:** Turn off the SNMP service in the communication modules if it is not required for operations.
- **Access Control:** Restrict access to **port 161/udp** via firewall or ACLs to trusted IP addresses only.
- **Network Segmentation:** Ensure devices are operated within protected IT/OT environments and are not exposed to untrusted networks.
## Detection
- **Indicators of Compromise:** Monitor for unauthorized SNMP GET requests originating from unknown or external IP addresses directed at port 161/udp.
- **Detection Methods:**
- Use Intrusion Detection Systems (IDS) to flag SNMP traffic using default community strings (e.g., "public", "private") targeting SIPROTEC devices.
- Audit device logs for SNMP access attempts.
## References
- **Vendor Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/html/ssa-767615[.]html
- **Support Links:** hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/109796884/
- **Grid Security Guidelines:** hxxps://www[.]siemens[.]com/gridsecurity