Siemens SIPROTEC 4, SIPROTEC Compact, and Reyrolle Devices using the EN100 Ethernet Communication Module Extension Missing Authentication For Critical Function (CVE-2018-4838)

high Tenable OT Security Plugin ID 500163

Synopsis

The remote OT asset is affected by a vulnerability.

Description

A vulnerability has been identified in EN100 Ethernet module IEC 61850 variant (All versions < V4.30), EN100 Ethernet module DNP3 variant (All versions < V1.04), EN100 Ethernet module PROFINET IO variant (All versions), EN100 Ethernet module Modbus TCP variant (All versions), EN100 Ethernet module IEC 104 variant (All versions < V1.22). The web interface (TCP/80) of affected devices allows an unauthenticated user to upgrade or downgrade the firmware of the device, including to older versions with known vulnerabilities.

This plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at CISA.gov.

Siemens has provided the following updates for mitigations:

- EN100 Ethernet module DNP3 variant (All versions prior to v1.04): Update to v1.04 and configure maintenance password, which can be located here: https://support.industry.siemens.com/cs/us/en/ view/109745821
- EN100 Ethernet module IEC 61850 variant (All versions prior to v4.30): Update to v4.30, which can be located here:
https://support.industry.siemens.com/cs/us/en/view/109745821

- EN100 Ethernet module IEC 104 variant: Update to v1.22, which can be located here:
https://support.industry.siemens.com/cs/document/109745821

For all other affected products, Siemens has identified the following specific workarounds and mitigations that users can apply to reduce the risk. As a general security measure Siemens strongly recommends to protect network access with appropriate mechanisms (e.g., firewalls, segmentation, VPN). It is advised to configure the environment according to Siemens’ operational guidelines in order to run the devices in a protected IT environment.

Recommended security guidelines to Secure Substations and Defense-in-Depth can be found at:
https://www.siemens.com/gridsecurity

For further inquiries on vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT:
https://www.siemens.com/cert/advisories

For more information on this vulnerability and associated software updates, please see Siemens security notification SSA-845879 on their website: https://cert-portal.siemens.com/productcert/pdf/ssa-845879.pdf

See Also

https://cert-portal.siemens.com/productcert/pdf/ssa-845879.pdf

https://ics-cert.us-cert.gov/advisories/ICSA-18-067-01

https://www.cisa.gov/news-events/ics-advisories/icsa-18-067-02

https://www.securityfocus.com/bid/103379

Plugin Details

Severity: High

ID: 500163

Version: 1.7

Type: remote

Family: Tenable.ot

Published: 2/7/2022

Updated: 9/4/2024

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

CVSS Score Source: CVE-2018-4838

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:siemens:en100_ethernet_module_iec_104_firmware:-, cpe:/o:siemens:en100_ethernet_module_profinet_io_firmware:-, cpe:/o:siemens:en100_ethernet_module_modbus_tcp_firmware:-, cpe:/o:siemens:en100_ethernet_module_iec_61850_firmware, cpe:/o:siemens:en100_ethernet_module_dnp3_firmware:-

Required KB Items: Tenable.ot/Siemens

Exploit Ease: No known exploits are available

Patch Publication Date: 3/8/2018

Vulnerability Publication Date: 3/8/2018

Reference Information

CVE: CVE-2018-4838

CWE: 306

ICSA: 18-067-01, 18-067-02