As part of Team82's continued mission and focus to support and secure critical infrastructure, researcher Tal Keren has discovered a vulnerability (CVE-2019-19279) in the Siemens Digsi 4 protocol. This vulnerability allows for a denial-of-service (DOS) attack against Siemens SIPROTEC 4 protection relays, designed specifically for electrical substations. This is the same protocol that was exploited by the Industroyer malware in 2016.
Team82 immediately reported this research and coordinated with Siemens, which has now released an advisory (SSA-974843) with workarounds and mitigations.
The Industroyer malware, also referred to as Crashoverride, was used to attack the Ukraine power grid in 2016, and it contained targeted industrial cybersecurity (ICS) payloads that allowed it to communicate using ICS protocols and specifically attack the electrical substations of the targeted companies. Substations are critical in power generation, distribution, and transmission networks. A very important component in a substation is the protection relay, which is responsible for monitoring the actual current transmitted in every location and may trip any circuit breaker if anything unexpected happens. Without this protection relay, anything from a power outage to physical damage and even safety issues could occur.
Some of the payloads used by Industroyer were designed to cause DOS on the protection relays and remote terminal units (RTU) used in the targeted power grid companies and act as a kill switch. One of the specifically targeted ICS payloads found in the Industroyer malware (CVE-2015-5374) that was implemented caused DOS on Siemens SIPROTEC 4 protection relays. This vulnerability used the SIPROTEC 4 programming protocol (Digsi 4) that communicates over UDP port 50000, and the proof of concept (POC) code implementing it is available publicly.
The newest vulnerability discovered by Claroty uses a malicious packet in that same protocol to cause a DOS on those relays, thus allowing an attacker to reproduce the damage caused by Industroyer. This Digsi4 protocol allows users to program the protection relay and change its behavior. Like many other ICS related protocols, this protocol was developed by Siemens as a proprietary protocol. In that, the challenge for traditional IT security products aiming to protect against such attacks is increased, as a specific understanding of the protocol and deep packet inspection (DPI) capabilities are required.
It is important to note that the advisory published by Siemens contains workarounds and mitigations for this issue. Siemens has also improved security in the newer SIPROTEC 5 relays, whose communication protocol is encrypted and utilizes improved security.
Many other protection relays and other types of ICS hardware in the industry use proprietary protocols for programming purposes. Securing these critical devices requires deep understanding of those protocols, a fundamental knowledge of Operational Technology (OT) security, and continuous research to find and map potential vulnerabilities—whether in the design of the protocol, implementation, or determining attempts to abuse it.
CWE-547 USE OF HARD-CODED, SECURITY-RELEVANT CONSTANTS:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 are vulnerable to an attacker impersonating the web application service and mislead victim clients.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 7.5
CWE-288 AUTHENTICATION BYPASS USING AN ALTERNATE PATH OR CHANNEL:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain an exposed web management service that could allow an attacker to bypass authentication measures and gain controls over utilities within the products.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 9.8
CWE-547 USE OF HARD-CODED, SECURITY-RELEVANT CONSTANTS:
Optigo Networks Visual BACnet Capture Tool and Optigo Visual Networks Capture Tool version 3.1.2rc11 contain a hard coded secret key. This could allow an attacker to generate valid JWT (JSON Web Token) sessions.
Optigo Networks recommends users to upgrade to the following:
CVSS v3: 7.5
CWE-912 HIDDEN FUNCTIONALITY:
The "update" binary in the firmware of the affected product sends attempts to mount to a hard-coded, routable IP address, bypassing existing device network settings to do so. The function triggers if the 'C' button is pressed at a specific time during the boot process. If an attacker is able to control or impersonate this IP address, they could upload and overwrite files on the device.
Per FDA recommendation, CISA recommends users remove any Contec CMS8000 devices from their networks.
If asset owners cannot remove the devices from their networks, users should block 202.114.4.0/24 from their networks, or block 202.114.4.119 and 202.114.4.120.
Please note that this device may be re-labeled and sold by resellers.
Read more here: Do the CONTEC CMS8000 Patient Monitors Contain a Chinese Backdoor? The Reality is More Complicated….
CVSS v3: 7.5
CWE-295 IMPROPER CERTIFICATE VALIDATION:
The affected product is vulnerable due to failure of the update mechanism to verify the update server's certificate which could allow an attacker to alter network traffic and carry out a machine-in-the-middle attack (MITM). An attacker could modify the server's response and deliver a malicious update to the user.
Medixant recommends users download the v2025.1 or later version of their software.
CVSS v3: 5.7
