Full Report
Devices of the SIPROTEC 5 family contain a vulnerability related to secure client-initiated renegotiation. This could allow an unauthenticated attacker to cause a denial of service condition for the duration of the attack. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Denial of Service due to Improper Secure Renegotiation in SIPROTEC 5 Devices
## CVE Details
- CVE ID: CVE-2022-45044
- CVSS Score: 5.3 (Medium)
- CWE: CWE-400: Uncontrolled Resource Consumption
## Affected Systems
- Products: Devices of the SIPROTEC 5 family, including CP100 and CP150 devices specific models (e.g., 7SA82, 7SD82, 7SJ81, 7SJ82, 7SK82, 7SL82, 7UT82). Affected communication modules installed on CP100 devices (ETH-BA-2EL, ETH-BB-2FO) are also noted.
- Versions:
- SIPROTEC 5 7SA82 (CP100): All versions < V8.90 (Fixed in V8.90 or later)
- SIPROTEC 5 7SD82 (CP100): All versions < V8.90 (Fixed in V8.90 or later)
- SIPROTEC 5 7SJ81 (CP100): All versions < V8.89 (Fixed in V8.89 or later)
- SIPROTEC 5 7SJ82 (CP100): All versions < V8.89 (Fixed in V8.89 or later)
- SIPROTEC 5 7SK82 (CP100): All versions < V8.89 (Fixed in V8.89 or later)
- SIPROTEC 5 7SL82 (CP100): All versions < V8.90 (Fixed in V8.90 or later)
- SIPROTEC 5 7UT82 (CP100): All versions < V8.90 (Fixed in V8.90 or later)
- SIPROTEC 5 7SA82 (CP150): All versions < V9.50 (Fixed in V9.50 or later)
*Note: Other CP300 devices were addressed in subsequent updates, but specific versions were not fully detailed in the excerpt provided.*
- Configurations: Vulnerability exists in the implementation of SSL/TLS protocols on affected devices.
## Vulnerability Description
The vulnerability stems from affected devices not properly restricting secure client-initiated renegotiations within the SSL and TLS protocols. An unauthenticated remote attacker can exploit this weakness to induce uncontrolled resource consumption, leading to a Denial of Service (DoS) condition on the affected device ports (specifically mentioned are 443/tcp and 443/tcp) for the duration of the active attack.
## Exploitation
- Status: The CVSS vector includes E:P (Proof-of-Concept is available, highly suggestive of public exploitability, though not formally stated as 'in the wild').
- Complexity: Low (AC:L - Attack Complexity Low)
- Attack Vector: Network (AV:N)
## Impact
- Confidentiality: No impact (C:N)
- Integrity: No impact (I:N)
- Availability: Low impact, resulting in a Denial of Service condition (A:L)
## Remediation
### Patches
Siemens advises updating to the fixed versions listed below:
- SIPROTEC 5 7SA82 (CP100): Update to V8.90 or later.
- SIPROTEC 5 7SD82 (CP100): Update to V8.90 or later.
- SIPROTEC 5 7SJ81 (CP100): Update to V8.89 or later.
- SIPROTEC 5 7SJ82 (CP100): Update to V8.89 or later.
- SIPROTEC 5 7SK82 (CP100): Update to V8.89 or later.
- SIPROTEC 5 7SL82 (CP100): Update to V8.90 or later.
- SIPROTEC 5 7UT82 (CP100): Update to V8.90 or later.
- SIPROTEC 5 7SA82 (CP150): Update to V9.50 or later.
### Workarounds
Siemens recommends specific countermeasures for products where fixes are not, or not yet available. (Specific details of these workarounds are located in the vendor advisory section "Workarounds and Mitigations," which requires consulting the full document).
## Detection
- Indicators of Compromise: Persistent high CPU/resource utilization on the device, or repeated connection termination attempts on ports 443/tcp or 4443/tcp coinciding with device unavailability.
- Detection Methods and Tools: Network monitoring to inspect for excessive TLS renegotiation requests targeting ports 443/tcp or 4443/tcp.
## References
- Vendor Advisories:
- SSA-552874 (Base Advisory)
- Relevant Links:
- Siemens Support Link (General fix information): hxxps://support.industry.siemens.com/cs/ww/en/view/related/109757433
- Siemens ProductCERT Advisories: hxxps://www.siemens.com/cert/advisories