Full Report
SINAMICS PERFECT HARMONY GH180 is affected by multiple vulnerabilities in the integrated SCALANCE S615 device, as documented in SSA-419740 (https://cert-portal.siemens.com/productcert/html/ssa-419740.html). Siemens recommends to update the firmware of the integrated SCALANCE S615 device to the latest version. Siemens recommends specific countermeasures for products where the firmware update is not, or not yet applied. Additional considerations regarding the specific impact of the vulnerabilities to SINAMICS MV products can be found in the chapter “Additional Information”.
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in Integrated SCALANCE S615 of SINAMICS Medium Voltage Products
## CVE Details
The advisory covers multiple vulnerabilities inherited from the integrated SCALANCE S615 device. Key examples include:
- **CVE-2018-25032**: CVSS 7.5 (High) | CWE-787 (Out-of-bounds Write in zlib)
- **CVE-2021-42374**: CVSS 6.5 (Medium) | CWE-125 (Out-of-bounds Read in BusyBox)
- **CVE-2021-42378, CVE-2021-42379, CVE-2021-42380**: CVSS 6.6 (Medium) | CWE-416 (Use After Free in BusyBox awk)
- **CVE-2022-23308**: CVSS 7.5 (High) | CWE-416 (Use After Free in libxml2)
- **CVE-2022-32205**: CVSS 7.5 (High) | CWE-20 (Improper Input Validation in curl)
*Note: The overall advisory lists a maximum Base Score of 9.8, though specific impact on SINAMICS MV products scales Availability down to "Low".*
## Affected Systems
- **Products**: SINAMICS PERFECT HARMONY GH180 (6SR5)
- **Versions**: All versions.
- **Configurations**: Only units produced between **October 2021 and May 2023** that have the integrated **SCALANCE S615** device installed.
## Vulnerability Description
The integrated SCALANCE S615 security appliance within the SINAMICS drive contains several third-party component vulnerabilities (including zlib, BusyBox, libxml2, and curl). These flaws range from memory corruption and use-after-free conditions to improper input validation. While these vulnerabilities reside in the communication module, they can potentially be triggered by processing specially crafted network traffic or files.
## Exploitation
- **Status**: PoC available for several associated CVEs (as indicated by the "E:P" flag in CVSS vectors).
- **Complexity**: Ranges from Low to High depending on the specific CVE.
- **Attack Vector**: Network (Remote exploitation is possible if the SCALANCE device is accessible).
## Impact
- **Confidentiality**: Low to High (depending on specific CVE/BusyBox leaks).
- **Integrity**: Low to High (potential for code execution in specific sub-components).
- **Availability**: **Low** (Siemens notes that while exploitation can disrupt remote monitoring like SIDriveIQ, the primary drive functionality and Fieldbus connections—Modbus, Profinet, etc.—remain unaffected).
## Remediation
### Patches
- Update the firmware of the integrated SCALANCE S615 device to **V7.2 or later**.
### Workarounds
- **Physical Security**: Restrict physical access to the affected drives and the Ethernet port on the front control door.
- **Network Isolation**: Disconnect any direct network connections to the integrated SCALANCE S615 device.
- **General Hardening**: Protect network access with industrial security mechanisms and follow Siemens' operational guidelines for Industrial Security.
## Detection
- **Indicators of Compromise**: Unexpected reboots of the SCALANCE S615 module, disruption of remote monitoring services (SIDriveIQ), or unusual HTTP/management traffic to the SCALANCE interface.
- **Detection methods**: Monitor network traffic for malformed LZMA, awk patterns, or excessive "Set-Cookie" headers targeting the device management interface.
## References
- **Vendor Advisory**: hxxps://cert-portal.siemens.com/productcert/html/ssa-942865.html
- **Related SCALANCE Advisory**: hxxps://cert-portal.siemens.com/productcert/html/ssa-419740.html
- **Siemens Industrial Security Guidelines**: hxxps://www.siemens.com/cert/operational-guidelines-industrial-security