Today the DHS ICS-CERT published a control-system security advisory for three vulnerabilities in the EN100 Ethernet module used in the Siemens SIPROTEC 4 and SIPROTEC Compact devices. The vulnerabilities were reported by Kirill Nesterov and Anatoly Katushin from Kaspersky Lab. Siemens has produced a firmware update. There is no indication that the researchers have been provided the opportunity to verify the efficacy of the fix.
The two vulnerabilities are:
• Authentication bypass issues - CVE-2016-7112 and CVE-2016-7114; and
• Resource exhaustion - CVE-2016-7113
ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to circumvent authentication and perform administrative operations. The SiemensCERT advisory notes that all three vulnerabilities require network access to the device’s web interface (port 80/tcp).