5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.6 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
40.2%
A vulnerability has been identified in EN100 Ethernet module IEC 61850 variant (All versions < V4.30), EN100 Ethernet module DNP3 variant (All versions < V1.04), EN100 Ethernet module PROFINET IO variant (All versions), EN100 Ethernet module Modbus TCP variant (All versions), EN100 Ethernet module IEC 104 variant (All versions < V1.22). The web interface (TCP/80) of affected devices allows an unauthenticated user to upgrade or downgrade the firmware of the device, including to older versions with known vulnerabilities.
This plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more information.
#%NASL_MIN_LEVEL 70300
##
# (C) Tenable Network Security, Inc.
##
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(500163);
script_version("1.6");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/04");
script_cve_id("CVE-2018-4838");
script_name(english:"Siemens SIPROTEC 4, SIPROTEC Compact, and Reyrolle Devices using the EN100 Ethernet Communication Module Extension Missing Authentication For Critical Function (CVE-2018-4838)");
script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
script_set_attribute(attribute:"description", value:
"A vulnerability has been identified in EN100 Ethernet module IEC 61850 variant (All versions < V4.30), EN100 Ethernet
module DNP3 variant (All versions < V1.04), EN100 Ethernet module PROFINET IO variant (All versions), EN100 Ethernet
module Modbus TCP variant (All versions), EN100 Ethernet module IEC 104 variant (All versions < V1.22). The web
interface (TCP/80) of affected devices allows an unauthenticated user to upgrade or downgrade the firmware of the
device, including to older versions with known vulnerabilities.
This plugin only works with Tenable.ot. Please visit
https://www.tenable.com/products/tenable-ot for more information.");
script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/pdf/ssa-845879.pdf");
script_set_attribute(attribute:"see_also", value:"https://ics-cert.us-cert.gov/advisories/ICSA-18-067-01");
script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-18-067-02");
script_set_attribute(attribute:"see_also", value:"https://www.securityfocus.com/bid/103379");
script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.
Siemens has provided the following updates for mitigations:
- EN100 Ethernet module DNP3 variant (All versions prior to v1.04): Update to v1.04 and configure maintenance password,
which can be located here: https://support.industry.siemens.com/cs/us/en/ view/109745821
- EN100 Ethernet module IEC 61850 variant (All versions prior to v4.30): Update to v4.30, which can be located here:
https://support.industry.siemens.com/cs/us/en/view/109745821
- EN100 Ethernet module IEC 104 variant: Update to v1.22, which can be located here:
https://support.industry.siemens.com/cs/document/109745821
For all other affected products, Siemens has identified the following specific workarounds and mitigations that users
can apply to reduce the risk. As a general security measure Siemens strongly recommends to protect network access with
appropriate mechanisms (e.g., firewalls, segmentation, VPN). It is advised to configure the environment according to
SiemensΓ’ΒΒ operational guidelines in order to run the devices in a protected IT environment.
Recommended security guidelines to Secure Substations and Defense-in-Depth can be found at:
https://www.siemens.com/gridsecurity
For further inquiries on vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT:
https://www.siemens.com/cert/advisories
For more information on this vulnerability and associated software updates, please see Siemens security notification
SSA-845879 on their website: https://cert-portal.siemens.com/productcert/pdf/ssa-845879.pdf");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-4838");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_cwe_id(306);
script_set_attribute(attribute:"vuln_publication_date", value:"2018/03/08");
script_set_attribute(attribute:"patch_publication_date", value:"2018/03/08");
script_set_attribute(attribute:"plugin_publication_date", value:"2022/02/07");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:en100_ethernet_module_iec_104_firmware:-");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:en100_ethernet_module_dnp3_firmware:-");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:en100_ethernet_module_modbus_tcp_firmware:-");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:en100_ethernet_module_profinet_io_firmware:-");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:en100_ethernet_module_iec_61850_firmware");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Tenable.ot");
script_copyright(english:"This script is Copyright (C) 2022-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("tenable_ot_api_integration.nasl");
script_require_keys("Tenable.ot/Siemens");
exit(0);
}
include('tenable_ot_cve_funcs.inc');
get_kb_item_or_exit('Tenable.ot/Siemens');
var asset = tenable_ot::assets::get(vendor:'Siemens');
var vuln_cpes = {
"cpe:/o:siemens:en100_ethernet_module_iec_104_firmware:-" :
{"family" : "Siprotec4"},
"cpe:/o:siemens:en100_ethernet_module_dnp3_firmware:-" :
{"family" : "Siprotec4"},
"cpe:/o:siemens:en100_ethernet_module_modbus_tcp_firmware:-" :
{"family" : "Siprotec4"},
"cpe:/o:siemens:en100_ethernet_module_profinet_io_firmware:-" :
{"family" : "Siprotec4"},
"cpe:/o:siemens:en100_ethernet_module_iec_61850_firmware" :
{"versionEndExcluding" : "4.30", "family" : "Siprotec4"}
};
tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);
Vendor | Product | Version | CPE |
---|---|---|---|
siemens | en100_ethernet_module_iec_104_firmware | - | cpe:/o:siemens:en100_ethernet_module_iec_104_firmware:- |
siemens | en100_ethernet_module_dnp3_firmware | - | cpe:/o:siemens:en100_ethernet_module_dnp3_firmware:- |
siemens | en100_ethernet_module_modbus_tcp_firmware | - | cpe:/o:siemens:en100_ethernet_module_modbus_tcp_firmware:- |
siemens | en100_ethernet_module_profinet_io_firmware | - | cpe:/o:siemens:en100_ethernet_module_profinet_io_firmware:- |
siemens | en100_ethernet_module_iec_61850_firmware | cpe:/o:siemens:en100_ethernet_module_iec_61850_firmware |
5 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
7.6 High
AI Score
Confidence
High
0.001 Low
EPSS
Percentile
40.2%