“Successful exploitation of these vulnerabilities could allow an attacker to upload a modified device configuration that could overwrite access authorization passwords, or allow an attacker to capture certain network traffic that could contain authorization passwords.” reads the advisory published by the ICS-CERT.
The Siemens devices provide integrated protection, control, measurement, and automation functions for several applications, including electrical substations.
Siemens has already issued security patches and mitigations for the flaws.
The vulnerabilities were discovered by security experts at Positive Technologies, let’s analyzed the flaws discovered by the experts.
“Positive Technologies experts Ilya Karpov, Dmitry Sklyarov, and Alexey Stennikov detected high-risk vulnerabilities in power-system protection from Siemens that is used to control and protect such power supply facilities equipment as electrical substations or hydroelectric power stations. Siemens has fixed the vulnerabilities and issued the corresponding advisories.” states the post published by Positive Technologies.
“By exploiting these vulnerabilities, an attacker is able to change the configuration of power-system protection relay which can lead to disruption of the power equipment protection function (and potentially to an accident) or customer curtailment.”
The most severe vulnerability (rated high severity), tracked as CVE-2018-4840 can be exploited by a remote and unauthenticated attacker to modify the device’s configuration and overwrite access passwords.
“The device engineering mechanism allows an unauthenticated remote user to upload a modified device configuration overwriting access authorization passwords. ” reads the security advisory published by Siemens.
The second flaw, tracked as CVE-2018-4839, is a medium severity issue that could be exploited by a local or network attacker to recover the access authorization password by intercepting network traffic or obtaining data from the targeted device. Once the attacker has obtained the password he can use it to gain complete access to a device.
Both CVE-2018-4840 and CVE-2018-4839 affects the EN100 Ethernet modules and the DIGSI 4 operation and configuration software used by SIPROTEC 4 and SIPROTEC Compact relay families.
Researchers at Positive Technologies also discovered a high severity vulnerability tracked as CVE-2018-4838 that resides in the web interface of the relays (SIPROTEC 4, SIPROTEC Compact, and Reyrolle relays that use EN100 modules.) that could be exploited by an unauthenticated attacker to downgrade the firmware on a device to a version that is known to be affected by vulnerabilities.
“CVE-2018-4838 allows an intruder to remotely upload an obsolete firmware version that contains known vulnerabilities and to execute code on the target system. Devices that use the EN100 communication module (SIPROTEC 4, SIPROTEC Compact, and Reyrolle) can be attacked.” states the advisory published by the company.
The above issued represent a serious threat to electrical substations that are a key component in the electric grids.
(Security Affairs – electrical substations, hacking)