Siemens SIPROTEC 4 and SIPROTEC Compact Vulnerabilities CVE-2016-7112
Siemens reports that these vulnerabilities affect the following products:
- EN100 Ethernet module (as optional for SIPROTEC 4 and SIPROTEC Compact): All versions prior to V4.29
Resource Exhaustion: Specially crafted packets sent to Port 80/TCP could cause the affected device to go into defect mode.
Authentication Bypass: Attackers with network access to the device’s web interface (Port 80/TCP) could possibly circumvent authentication and perform administrative operations. A legitimate user must be logged into the web interface for the attack to be successful.
Siemens provides firmware update V4.29 for EN100 modules included in SIPROTEC 4 and SIPROTEC Compact devices to fix the vulnerabilities. Siemens recommends users update to the latest firmware version.
The firmware update for SIPROTEC 4 can be obtained from the SIPROTEC 4 downloads area: