CVE-2019-10938 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: How do I fix CVE-2019-10938?

1. Download firmware updates from Siemens Industry Online Support. 2. Follow device-specific update procedures in manuals. 3. Apply updates during maintenance windows. 4. Verify successful update and functionality.

Q: What is the severity of CVE-2019-10938?

CVE-2019-10938 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows unauthenticated attackers with network access to execute arbitrary code on affected Siemens industrial devices before firmware verification occurs. It affects SIPROTEC 5 protection devices and Siemens Power Meters used in electrical infrastructure. The CVSS 9.8 score indicates critical severity with high potential impact.

📋 TL;DR

This vulnerability allows unauthenticated attackers with network access to execute arbitrary code on affected Siemens industrial devices before firmware verification occurs. It affects SIPROTEC 5 protection devices and Siemens Power Meters used in electrical infrastructure. The CVSS 9.8 score indicates critical severity with high potential impact.

💻 Affected Systems

Products:

SIPROTEC 5 devices with CPU variants CP200
SIPROTEC 5 devices with CPU variants CP300
SIPROTEC 5 devices with CPU variants CP100
Siemens Power Meters Series 9410
Siemens Power Meters Series 9810

Versions: CP200: All versions < V7.59; CP300/CP100: All versions < V8.01; Series 9410: All versions < V2.2.1; Series 9810: All versions

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All affected devices are vulnerable in default configurations if network accessible.

📦 What is this software?

Siprotec 5 Digsi Device Driver by Siemens

View all CVEs affecting Siprotec 5 Digsi Device Driver →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of industrial control systems, allowing attackers to manipulate power grid operations, cause equipment damage, or disrupt critical infrastructure.

🟠

Likely Case

Unauthorized access to device configuration, firmware manipulation, or disruption of monitoring and protection functions in electrical systems.

🟢

If Mitigated

Limited impact if devices are properly segmented and access-controlled, though the vulnerability remains exploitable within the network segment.

🌐 Internet-Facing: HIGH - If devices are exposed to the internet, they can be directly exploited without authentication.

🏢 Internal Only: HIGH - Even internally, network access allows exploitation without credentials.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

No public exploitation known at advisory publication, but unauthenticated network access makes exploitation straightforward for skilled attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: CP200: V7.59 or higher; CP300/CP100: V8.01 or higher; Series 9410: V2.2.1 or higher; Series 9810: Contact Siemens for updates

Vendor Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-352504.pdf

Restart Required: Yes

Instructions:

1. Download firmware updates from Siemens Industry Online Support. 2. Follow device-specific update procedures in manuals. 3. Apply updates during maintenance windows. 4. Verify successful update and functionality.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate affected devices in dedicated network segments with strict access controls.

Access Control Lists

all

Implement firewall rules to restrict network access to authorized management stations only.

🧯 If You Can't Patch

Implement strict network segmentation and firewall rules to limit access to only necessary IP addresses
Monitor network traffic to/from affected devices for suspicious activity and implement intrusion detection

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via device web interface or management software against affected version ranges.

Check Version:

Device-specific commands vary; typically accessed via web interface at device IP or using DIGSI 5 software.

Verify Fix Applied:

Confirm firmware version is at or above patched versions: CP200 ≥ V7.59, CP300/CP100 ≥ V8.01, Series 9410 ≥ V2.2.1

📡 Detection & Monitoring

Log Indicators:

Unauthorized firmware update attempts
Unexpected device reboots
Configuration changes from unknown sources

Network Indicators:

Unusual network traffic to device management ports
Firmware upload attempts from unauthorized IPs

SIEM Query:

source_ip NOT IN (authorized_management_ips) AND dest_port IN (device_management_ports) AND protocol IN (http, https, ftp, tftp)

📊 Metadata

CVE ID: CVE-2019-10938

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-284

Published: August 2, 2019

Last Updated: November 21, 2024

🔗 References

https://cert-portal.siemens.com/productcert/pdf/ssa-352504.pdf Mitigation,Patch,Vendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-632562.pdf Mitigation,Patch,Vendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-352504.pdf Mitigation,Patch,Vendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-632562.pdf Mitigation,Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-10938, you might also want to check these: