CVE-2021-37206
📋 TL;DR
This vulnerability affects Siemens SIPROTEC 5 relays with specific CPU variants. An unauthenticated remote attacker can send specially crafted webpackets to force a restart of the device, causing a denial of service. This impacts industrial control systems using these relays in power distribution and automation.
💻 Affected Systems
- SIPROTEC 5 relays with CPU variants CP050
- SIPROTEC 5 relays with CPU variants CP100
- SIPROTEC 5 relays with CPU variants CP300
📦 What is this software?
Siprotec 5 With Cpu Variant Cp050 by Siemens
Siprotec 5 With Cpu Variant Cp100 by Siemens
⚠️ Risk & Real-World Impact
Worst Case
Continuous denial of service attacks could disrupt critical infrastructure operations by repeatedly restarting protective relays, potentially leading to power outages or equipment damage.
Likely Case
Attackers cause temporary service disruption by forcing device restarts, requiring manual intervention to restore normal operation.
If Mitigated
With proper network segmentation and access controls, the impact is limited to isolated network segments with minimal operational disruption.
🎯 Exploit Status
Exploitation requires sending specially crafted packets to Ethernet interfaces. No authentication required.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: V8.80 or later
Vendor Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-500748.pdf
Restart Required: Yes
Instructions:
1. Download firmware version V8.80 or later from Siemens support portal. 2. Follow Siemens firmware update procedures for SIPROTEC 5 devices. 3. Verify successful update and device functionality.
🔧 Temporary Workarounds
Network segmentation and access control
allRestrict network access to SIPROTEC 5 devices using firewalls and VLANs
Disable unnecessary Ethernet interfaces
allDisable any Ethernet interfaces not required for operation
🧯 If You Can't Patch
- Implement strict network segmentation to isolate SIPROTEC 5 devices from untrusted networks
- Deploy intrusion detection systems to monitor for anomalous traffic patterns targeting these devices
🔍 How to Verify
Check if Vulnerable:
Check device firmware version via device web interface or local display. If version is below V8.80, device is vulnerable.Check Version:
Check via device web interface or local display menu (specific commands vary by device model)Verify Fix Applied:
Verify firmware version is V8.80 or higher after update. Test device functionality remains operational.📡 Detection & Monitoring
Log Indicators:
- Unexpected device restarts
- Connection attempts to device web services from unusual sources
Network Indicators:
- Unusual packet patterns to device Ethernet ports
- Traffic spikes to device management interfaces
SIEM Query:
source_ip=* AND dest_ip=[device_ip] AND (protocol=tcp OR protocol=udp) AND port IN (80, 443, 8080) AND bytes > threshold