Siemens SIPROTEC Information Disclosure Vulnerabilities (Update B)

CVSS 5.3 MEDIUM

CVEs (2)

CVE-2016-4784 CVE-2016-4785

Siemens provides firmware update V4.27 for EN100 module included in SIPROTEC 4 and SIPROTEC Compact to fix the vulnerabilities. The firmware updates can be found at the following locations on the Siemens website: (http://www.siemens.com/downloads/siprotec-4) (http://www.siemens.com/downloads/siprotec-compact)
For SIPROTEC Compact 7SJ80 with Ethernet Service Interface on Port A, Siemens provides firmware update V4.76. The firmware update can be found at the following location on the Siemens website: (http://www.siemens.com/downloads/siprotec-compact)
An attacker must have network access to the affected devices. For remaining affected products, Siemens recommends to protect network access with appropriate mechanisms (e.g., firewalls, segmentation, VPN). It is advised to configure the environment according to Siemens operational guidelines in order to run the devices in a protected IT environment. Siemens provides guidance at the following location for operating the devices only within trusted networks: (http://www.siemens.com/gridsecurity)
For more information on these vulnerabilities and more detailed mitigation instructions, please see Siemens Security Advisory SSA-547990 at the following location: (http://www.siemens.com/cert/advisories)

Siemens

Siemens · EN100 Ethernet module included in SIPROTEC 4 <=V4.26

Siemens · EN100 Ethernet module included in SIPROTEC Compact <=V4.26

Siemens · SIPROTEC Compact model 7SJ80 with Ethernet Service Interface on Port A Firmware <=V4.75

Siemens · SIPROTEC Compact models 7RW80 with Ethernet Service Interface on Port A vers:all/*

Siemens · SIPROTEC Compact models 7SJ81 with Ethernet Service Interface on Port A vers:all/*

Siemens · SIPROTEC Compact models 7SK81 with Ethernet Service Interface on Port A vers:all/*

OTWarden monitors CISA, BSI, Siemens, Rockwell and more — and emails you within 2 hours when your vendors are affected.