This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.TENABLE_OT_SIEMENS_CVE-2016-7114.NASLSiemens SIPROTEC 4 and SIPROTEC Compact Improper Authentication (CVE-2016-7114)
9 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
9.2 High
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
57.7%
A vulnerability has been identified in Firmware variant PROFINET IO for EN100 Ethernet module : All versions < V1.04.01;Firmware variant Modbus TCP for EN100 Ethernet module : All versions < V1.11.00; Firmware variant DNP3 TCP for EN100 Ethernet module : All versions < V1.03; Firmware variant IEC 104 for EN100 Ethernet module : All versions < V1.21; EN100 Ethernet module included in SIPROTEC Merging Unit 6MU80 : All versions < 1.02.02; SIPROTEC 7SJ686 :
All versions < V4.87; SIPROTEC 7UT686 : All versions < V 4.02; SIPROTEC 7SD686 : All versions < V 4.05; SIPROTEC 7SJ66 : All versions <V 4.30. Attackers with network access to the deviceβs web interface (port 80/tcp) could possibly circumvent authentication and perform certain administrative operations. A legitimate user must be logged into the web interface for the attack to be successful.
This plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more information.
#%NASL_MIN_LEVEL 70300
##
# (C) Tenable, Inc.
##
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(500101);
script_version("1.10");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/04");
script_cve_id("CVE-2016-7114");
script_name(english:"Siemens SIPROTEC 4 and SIPROTEC Compact Improper Authentication (CVE-2016-7114)");
script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
script_set_attribute(attribute:"description", value:
"A vulnerability has been identified in Firmware variant PROFINET IO for EN100
Ethernet module : All versions < V1.04.01;Firmware variant Modbus TCP for
EN100 Ethernet module : All versions < V1.11.00; Firmware variant DNP3 TCP for
EN100 Ethernet module : All versions < V1.03; Firmware variant IEC 104 for
EN100 Ethernet module : All versions < V1.21; EN100 Ethernet module included
in SIPROTEC Merging Unit 6MU80 : All versions < 1.02.02; SIPROTEC 7SJ686 :
All versions < V4.87; SIPROTEC 7UT686 : All versions < V 4.02; SIPROTEC 7SD686
: All versions < V 4.05; SIPROTEC 7SJ66 : All versions <V 4.30. Attackers with
network access to the device's web interface (port 80/tcp) could possibly
circumvent authentication and perform certain administrative operations. A
legitimate user must be logged into the web interface for the attack to be
successful.
This plugin only works with Tenable.ot. Please visit
https://www.tenable.com/products/tenable-ot for more information.");
# https://cert-portal.siemens.com/productcert/pdf/ssa-630413.pdf
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?ad619770");
script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/bid/92745");
script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/bid/99471");
# https://cert-portal.siemens.com/productcert/pdf/ssa-323211.pdf
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?8b06cf13");
script_set_attribute(attribute:"see_also", value:"https://ics-cert.us-cert.gov/advisories/ICSA-17-187-03");
script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-17-187-02");
script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-17-187-03f");
script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.
Siemens provides updates for the following affected products and recommends users update to the latest version:
- Firmware variants for EN100 Ethernet modules as options for SIPROTEC 4 and SIPROTEC Compact:
- Firmware variant PROFINET IO: Update to V1.04.01
- Firmware variant Modbus TCP: Update to V1.11.00
- Firmware variant DNP3 TCP: Update to V1.03
- Firmware variant IEC 104: Update to V1.21
https://support.industry.siemens.com/cs/us/en/view/109745821
- EN100 Ethernet module included in SIPROTEC Merging Unit 6MU80: Update to firmware V1.02.02 by contacting the Siemens
energy hotline at: [email protected]
- SIPROTEC 7SJ66: update to firmware V4.30
https://support.industry.siemens.com/cs/gb/en/view/109743555
- SIPROTEC 7SJ686: update to firmware V4.87
http://www.siemensenergysector.com/ProductRelatedDown.aspx?ProductId=51
- SIPROTEC 7UT686: update to firmware V4.02
http://www.siemensenergysector.com/ProductRelatedDown.aspx?ProductId=68
- SIPROTEC 7SD686: update to firmware V4.05
http://www.siemensenergysector.com/ProductRelatedDown.aspx?ProductId=64
Siemens is preparing updates for the remaining affected products and recommends the following mitigations in the
meantime:
- Apply secure substation concepts and defense-in-depth measures.
Please see the specific product manual for more information. Manuals can be obtained from the downloads menu at the
following Siemens website:
http://www.siemens.com/gridsecurity
- Restrict network access to Port 80/TCP and Port 50000/UDP
Siemens recommends users protect network access with appropriate mechanisms such as firewalls, segmentation, and VPNs.
Siemens also advises that users configure the operational environment according to SiemensΓ’ΒΒ Operational Guidelines for
Industrial Security:
https://www.siemens.com/cert/operational-guidelines-industrial-security
For more information on this vulnerability and more detailed mitigation instructions, please see Siemens Security
Advisory SSA-323211 at the following location:
http://www.siemens.com/cert/advisories");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-7114");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(287);
script_set_attribute(attribute:"vuln_publication_date", value:"2016/09/06");
script_set_attribute(attribute:"patch_publication_date", value:"2016/09/06");
script_set_attribute(attribute:"plugin_publication_date", value:"2022/02/07");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:siprotec_4_7sj686_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:siprotec_4_7ut686_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:siprotec_4_7sd686_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:siprotec_4_7sj66_firmware");
script_set_attribute(attribute:"generated_plugin", value:"former");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Tenable.ot");
script_copyright(english:"This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("tenable_ot_api_integration.nasl");
script_require_keys("Tenable.ot/Siemens");
exit(0);
}
include('tenable_ot_cve_funcs.inc');
get_kb_item_or_exit('Tenable.ot/Siemens');
var asset = tenable_ot::assets::get(vendor:'Siemens');
var vuln_cpes = {
"cpe:/o:siemens:siprotec_4_7sj686_firmware" :
{"versionEndExcluding" : "4.87", "family" : "Siprotec4"},
"cpe:/o:siemens:siprotec_4_7ut686_firmware" :
{"versionEndExcluding" : "4.02", "family" : "Siprotec4"},
"cpe:/o:siemens:siprotec_4_7sd686_firmware" :
{"versionEndExcluding" : "4.05", "family" : "Siprotec4"},
"cpe:/o:siemens:siprotec_4_7sj66_firmware" :
{"versionEndExcluding" : "4.30", "family" : "Siprotec4"}
};
tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_HOLE);
| Vendor | Product | Version | CPE |
|---|---|---|---|
| siemens | siprotec_4_7sj686_firmware | cpe:/o:siemens:siprotec_4_7sj686_firmware | |
| siemens | siprotec_4_7ut686_firmware | cpe:/o:siemens:siprotec_4_7ut686_firmware | |
| siemens | siprotec_4_7sd686_firmware | cpe:/o:siemens:siprotec_4_7sd686_firmware | |
| siemens | siprotec_4_7sj66_firmware | cpe:/o:siemens:siprotec_4_7sj66_firmware |
References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7114
www.nessus.org/u?8b06cf13
www.nessus.org/u?ad619770
www.securityfocus.com/bid/92745
www.securityfocus.com/bid/99471
ics-cert.us-cert.gov/advisories/ICSA-17-187-03
www.cisa.gov/news-events/ics-advisories/icsa-17-187-02
www.cisa.gov/news-events/ics-advisories/icsa-17-187-03f
Related
9 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
9.2 High
AI Score
Confidence
High
0.002 Low
EPSS
Percentile
57.7%