Denial of service in Siemens EN100 modules and Siprotec 5



Published: 2018-07-16
Risk Low
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2018-11451
CVE-2018-11452
CWE-ID CWE-20
Exploitation vector Network
Public exploit Public exploit code for vulnerability #1 is available.
Public exploit code for vulnerability #2 is available.
Vulnerable software
Subscribe 		SIPROTEC 5
Hardware solutions / Security hardware applicances

EN100 Ethernet module IEC 104 variant
Hardware solutions / Security hardware applicances

EN100 Ethernet module DNP3 TCP variant
Hardware solutions / Security hardware applicances

EN100 Ethernet module Modbus TCP variant
Hardware solutions / Security hardware applicances

EN100 Ethernet module PROFINET IO variant
Hardware solutions / Security hardware applicances

EN100 Ethernet module IEC 61850 variant
Hardware solutions / Security hardware applicances

Vendor Siemens

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Improper input validation

EUVDB-ID: #VU13878

Risk: Low

CVSSv3.1: 6.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2018-11451

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to an error when handling malicious input. A remote attacker can activate the IEC 61850-MMS communication, supply specially crafted packets to port 102/tcp and cause the service to crash.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SIPROTEC 5: All versions

EN100 Ethernet module IEC 104 variant: All versions

EN100 Ethernet module DNP3 TCP variant: All versions

EN100 Ethernet module Modbus TCP variant: All versions

EN100 Ethernet module PROFINET IO variant: All versions

EN100 Ethernet module IEC 61850 variant: All versions

External links

http://cert-portal.siemens.com/productcert/pdf/ssa-635129.pdf


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

2) Improper input validation

EUVDB-ID: #VU13879

Risk: Low

CVSSv3.1: 5.3 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C]

CVE-ID: CVE-2018-11452

CWE-ID: CWE-20 - Improper input validation

Exploit availability: No

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.
The weakness exists due to an error when handling malicious input. A remote attacker can activate the IEC 61850-MMS communication, supply specially crafted packets to port 102/tcp and cause the service to crash if oscillographs are running.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SIPROTEC 5: All versions

EN100 Ethernet module IEC 104 variant: All versions

EN100 Ethernet module DNP3 TCP variant: All versions

EN100 Ethernet module Modbus TCP variant: All versions

EN100 Ethernet module PROFINET IO variant: All versions

EN100 Ethernet module IEC 61850 variant: All versions

External links

http://cert-portal.siemens.com/productcert/pdf/ssa-635129.pdf


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.



###SIDEBAR###