Siemens SIPROTEC 5 Could Allow for Arbitrary Code Execution

Fortify Security Team
Sep 15, 2021

Multiple vulnerabilities have been discovered in Siemens SIPROTECT 5, the most severe of which could allow an attacker to cause a denial-of-service condition or arbitrary code execution. Siemens SIPROTEC 5 is part of the new generation of modular, flexible, and intelligent digital field devices for protection, control, monitoring, and measuring applications in electrical energy systems. Successful exploitation of the most severe of these vulnerabilities could allow for remote code execution. Depending on the privileges associated with the user, an attacker could then view or modify data, as well as take full control of the system.

THREAT INTELLIGENCE: There are currently no reports of these vulnerabilities being exploited in the wild.

SYSTEMS AFFECTED:

  • SIPROTEC 5 relays with CPU variants CP050: All versions prior to 8.80
  • SIPROTEC 5 relays with CPU variants CP100: All versions prior to 8.80
  • SIPROTEC 5 relays with CPU variants CP150: All versions
  • SIPROTEC 5 relays with CPU variants CP200: All versions
  • SIPROTEC 5 relays with CPU variants CP300: All versions prior to 8.80

RISK:

Government:

  • Large and medium government entities: High
  • Small government entities: Medium

Businesses:

  • Large and medium business entities: High
  • Small business entities: Medium

Home users: Low

TECHNICAL SUMMARY:

Multiple vulnerabilities have been discovered in Siemens SIPROTEC 5, the most severe of which could allow for arbitrary code execution in the context of the system.

Details of the vulnerabilities are as follows:

  • Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) – An attacker can send specially crafted packets to port 4443/TCP, which may cause a denial-of-service condition or remote code execution. (CVE-2021-33719)
  • Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) – An attacker can send specially crafted packets to port 4443/TCP, which may cause a denial-of-service condition. (CVE-2021-33720)
  • Improper Input Validation – Received web packets are not properly processed. An unauthenticated remote attacker with access to any of the Ethernet interfaces could send specially crafted packets to force a restart of the target device. (CVE-2021-37206)

Successful exploitation of the most severe of these vulnerabilities could allow an attacker to execute arbitrary code in the context of the system. Depending on the privileges associated with the user, an attacker could then view or modify data, as well as take full control of the system.

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Install the updates provided by Siemens immediately after appropriate testing.
  • Verify that all hosts with a public IP do not have open ports unless absolutely necessary.
  • Apply the Principle of Least Privilege to all systems and services.

REFERENCES:
Siemens:
https://cert-portal.siemens.com/productcert/pdf/ssa-847986.pdf
https://cert-portal.siemens.com/productcert/pdf/ssa-500748.pdf

CVE:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33719
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33720
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-37206

US-CERT:
https://us-cert.cisa.gov/ics/advisories/icsa-21-257-10
https://us-cert.cisa.gov/ics/advisories/icsa-21-257-16

Recent Posts

Google Chrome Could Allow for Arbitrary Code Execution

Multiple vulnerabilities have been discovered in Google Chrome, the most severe of which could allow for arbitrary code execution. Google Chrome is a web browser used to access the Internet. Successful exploitation of the most severe of these vulnerabilities could...

Oracle Quarterly Critical Patches Issued April 19, 2022

Multiple vulnerabilities have been discovered in Oracle products, which could allow for remote code execution. April 22 – THREAT INTELLIGENCE UPDATED: A new proof of concept code demonstrating a newly disclosed digital signature bypass vulnerability in Java has been...

WSO2 Products Could Allow for Remote Code Execution

A vulnerability has been discovered in specific WSO2 products, which could allow for remote code execution. WSO2 is an open-source technology provider. It offers an enterprise platform for integrating application programming interfaces (API), applications, and web...