Siemens has issued a security advisory for its SIPROTEC 5 product line, addressing a critical vulnerability related to inadequate encryption strength. This issue, identified as CVE-2024-38867, affects various versions of Siemens SIPROTEC 5 devices and communication modules. The flaw, which received a CVSS v3 base score of 5.9 and a CVSS v4 base score of 8.2, could allow an unauthorized attacker to exploit weak encryption algorithms used on several communication ports. This vulnerability poses a significant risk as it can enable attackers to intercept and manipulate data transmitted between legitimate clients and the affected devices.
The affected Siemens SIPROTEC 5 models span across multiple versions, including devices from the 6MD, 7KE, 7SA, 7SD, and 7SJ series, among others. Siemens advises updating to the latest software versions to mitigate this vulnerability. For specific products where updates are not available, Siemens suggests implementing recommended workarounds such as restricting access to vulnerable ports and protecting network access with appropriate security measures.
The advisory highlights that the vulnerability was reported by Hydro-Québec and impacts critical infrastructure sectors worldwide. Siemens, headquartered in Germany, is actively addressing the issue by preparing further fixes and releasing updated versions of the affected products. Users are encouraged to follow Siemens’ operational security guidelines and to review recommendations on their industrial security webpage.
The Cybersecurity and Infrastructure Security Agency (CISA) also advises organizations to take defensive measures to minimize the risk of exploitation. CISA emphasizes the importance of performing impact analyses and risk assessments before deploying any defensive measures. While no public exploitation of this vulnerability has been reported, CISA encourages proactive cybersecurity strategies and adherence to best practices for industrial control systems.