Full Report
Vulnerabilities in Siemens SWT 3000, a system used in the energy sector, allow attackers to gain access to sensitive information, circumvent authentication and conduct a DoS attack.
Analysis Summary
# Vulnerability: Multiple Flaws in Siemens SWT 3000 Teleprotection Equipment
## CVE Details
* **CVE ID:** CVE-2017-12737, CVE-2017-12738, CVE-2017-12739
* **CVSS Score:**
* CVE-2017-12737: 7.5 (High)
* CVE-2017-12738: 5.3 (Medium)
* CVE-2017-12739: 5.3 (Medium)
* **CWE:**
* CWE-287 (Improper Authentication)
* CWE-200 (Information Exposure)
* CWE-400 (Uncontrolled Resource Consumption)
## Affected Systems
* **Products:** Siemens SWT 3000 (Substation Communications Unit)
* **Versions:** All versions prior to v3.0 SP2
* **Configurations:** Systems with the EN100 Ethernet module integrated for communication.
## Vulnerability Description
The Siemens SWT 3000 teleprotection system, widely used in the energy sector for grid protection signaling, contains three distinct vulnerabilities:
1. **Authentication Bypass (CVE-2017-12737):** A flaw in the authentication mechanism allows an unauthenticated attacker to bypass security controls and access the device's management interface.
2. **Information Disclosure (CVE-2017-12738):** The system reveals sensitive configuration and device information to unauthenticated users over the network.
3. **Denial of Service (CVE-2017-12739):** The device is susceptible to a resource exhaustion attack. Specifically, sending specially crafted packets to the management port can cause the EN100 module to crash or become unresponsive.
## Exploitation
* **Status:** No reports of exploitation in the wild at the time of publication; no public PoC available.
* **Complexity:** Low
* **Attack Vector:** Network (Remote)
## Impact
* **Confidentiality:** High (Potential access to sensitive operational settings and credentials).
* **Integrity:** High (Potential to modify protection settings which could affect grid stability).
* **Availability:** High (Potential to disable teleprotection signaling, leaving high-voltage equipment unprotected).
## Remediation
### Patches
* Siemens has released **SWT 3000 v3.0 SP2**, which addresses these vulnerabilities. Users are strongly encouraged to upgrade to this version or newer.
### Workarounds
* **Network Segmentation:** Restrict access to the management interface (EN100 module) to a dedicated, isolated management network.
* **Firewalling:** Block external access to ports used by the SWT 3000 management interface.
* **VLANs:** Use Virtual LANs to separate teleprotection traffic from general corporate or public-facing traffic.
## Detection
* **Indicators of Compromise:** Unusual traffic patterns on diagnostic ports; unexpected device reboots or "module unresponsive" errors in system logs.
* **Detection methods and tools:** Monitor network logs for unauthorized attempts to access the device via HTTP/HTTPS or Telnet. Ensure ICS-aware firewalls/IDS are configured to flag malformed packets targeting the EN100 module.
## References
* Siemens Security Advisory SSA-754625: hxxps[://]cert-portal[.]siemens[.]com/productcert/pdf/ssa-754625[.]pdf
* Kaspersky ICS CERT: hxxps[://]ics-cert[.]kaspersky[.]com/advisories/2017/12/04/vulnerabilities-in-siemens-swt-3000-devices/
* NIST NVD: hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2017-12737