Siemens has patched several vulnerabilities, including authentication bypass and denial-of-service (DoS) flaws, in its SWT 3000 teleprotection devices.
The SWT 3000 teleprotection devices are designed for quickly identifying and isolating faults in high-voltage power grids. This Siemens product is used in the energy sector worldwide.
According to advisories published by both Siemens and ICS-CERT, medium severity vulnerabilities have been found in the EN100 Ethernet module used by SWT 3000 devices running IEC 61850 and TPOP firmware.
The flaws can be exploited to bypass authentication to the web interface and perform administrative operations (CVE-2016-7112, CVE-2016-7114), and cause devices to enter a DoS condition by sending specially crafted packets (CVE-2016-7113).
Flaws related to the product’s web server can be leveraged by a network attacker to obtain sensitive device information (CVE-2016-4784), and data from the device’s memory (CVE-2016-4785).
The security holes have been addressed in IEC 61850 firmware with the release of version 4.29.01. The TPOP firmware is affected by only three of the flaws. These have been fixed with the release of version 01.01.00.
As it’s apparent from the CVE identifiers, these vulnerabilities were actually discovered last year. They were reported to Siemens via ICS-CERT by researchers at HackerDom and Kaspersky Lab.
Siemens and ICS-CERT disclosed CVE-2016-4784 and CVE-2016-4785 in May 2016, when they warned that the flaws had affected SIPROTEC 4 and SIPROTEC Compact devices. An advisory published in September 2016 warned that the same products were also affected by CVE-2016-7112, CVE-2016-7114 and CVE-2016-7113.
In July 2017, Siemens informed customers that all five vulnerabilities also impacted Reyrolle devices, which provide a wide range of integrated protection, control, measurement, and automation functions for electrical substations.