CVE-2015-5374:
Vulnerability in Siemens SIPROTEC EN100 Ethernet module firmware allows a denial-of-service via specially crafted UDP packets to port 50000; affects PROFINET IO (< V1.04.01), Modbus TCP (< V1.11.00), DNP3 TCP (< V1.03), IEC 104 (< V1.21), and the EN100 module in SIPROTEC merging unit 6MU80 (< V1.02.02). A manual reboot may be required to recover the device.
Score
A numerical rating that indicates how dangerous this vulnerability is.
7.8High- Published Date:Jul 18, 2015
- CISA KEV Date:*No Data*
- Industries Affected:20
Threat Predictions
- EPSS Score:84.7
- EPSS Percentile:99%
Exploitability
- Score:10.0
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:NONE
- User Interaction:NONE
Impact
- Score:6.9
- Confidentiality Impact:NONE
- Integrity Impact:NONE
- Availability Impact:HIGH
Description Preview
Vulnerability in Siemens SIPROTEC EN100 Ethernet module firmware allows a denial-of-service via specially crafted UDP packets to port 50000; affects PROFINET IO (< V1.04.01), Modbus TCP (< V1.11.00), DNP3 TCP (< V1.03), IEC 104 (< V1.21), and the EN100 module in SIPROTEC merging unit 6MU80 (< V1.02.02). A manual reboot may be required to recover the device.
Overview
This vulnerability affects Siemens SIPROTEC EN100 Ethernet module firmware across multiple protocol variants, enabling a denial-of-service condition when a printer-like sequence of UDP packets is sent to UDP port 50000. The issue results in an impact to availability, with potential need for manual reboot to restore normal operation. The advisory points to upgrades to fixed releases and mitigations to reduce exposure.
Remediation
- Upgrade firmware to the fixed releases:
- PROFINET IO for EN100: upgrade to V1.04.01 or later
- Modbus TCP for EN100: upgrade to V1.11.00 or later
- DNP3 TCP for EN100: upgrade to V1.03 or later
- IEC 104 for EN100: upgrade to V1.21 or later
- SIPROTEC Merging Unit 6MU80: upgrade to 1.02.02 or later
- Apply vendor advisories and verify installation of patches corresponding to SSA-323211 and related advisories.
- If immediate patching is not possible, implement network mitigations:
- Block or tightly restrict UDP traffic to port 50000 to affected devices at the network edge (firewall/IPS).
- Place affected devices behind segmentation or access control to limit exposure.
- After upgrading, perform a reboot as instructed by the vendor and verify device availability and logging for any abnormal activity.
- Maintain a patching schedule and monitor vendor advisories for updates or new mitigations.
References
- - Siemens Security Advisory SSA-323211.pdf: https://www.siemens.com/cert/pool/cert/siemens_security_advisory_SSA-323211.pdf
- - Siemens Security Advisory SSA-732541.pdf: http://www.siemens.com/innovation/pool/de/forschungsfelder/siemens_security_advisory_ssa-732541.pdf
- - Exploit-DB entry: 44103 — https://www.exploit-db.com/exploits/44103/
- - ICS-CERT Advisory ICSA-15-202-01: https://ics-cert.us-cert.gov/advisories/ICSA-15-202-01
- - ICS-CERT Advisory ICSA-17-187-03: https://ics-cert.us-cert.gov/advisories/ICSA-17-187-03
- - BID 75948: http://www.securityfocus.com/bid/75948
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
