---
title: "Siemens SIPROTEC 5 Flaw Allows Session Hijacking: Patch Now"
short_title: "Siemens SIPROTEC 5 session hijacking vulnerability"
description: "Siemens SIPROTEC 5 devices vulnerable to session hijacking due to weak random number generation (CVE-2024-54017). Learn mitigation steps and affected versions."
author: "Vitus"
date: 2024-05-15
categories: [Cybersecurity, Vulnerabilities]
tags: [siemens, siprotec5, cve-2024-54017, session-hijacking, ics-security]
score: 0.78
cve_ids: [CVE-2024-54017]
---
## TL;DR
Siemens SIPROTEC 5 devices are vulnerable to session hijacking attacks due to insufficiently random session identifiers (CVE-2024-54017). An unauthenticated remote attacker could brute-force a valid session ID to gain unauthorized access to limited web server data. Siemens is releasing fixes and recommends immediate countermeasures for affected versions.
Main Content
Critical Vulnerability in Siemens SIPROTEC 5 Devices Exposes Industrial Systems to Session Hijacking
Siemens has disclosed a medium-severity vulnerability in its SIPROTEC 5 devices, a widely used solution for protecting, controlling, and monitoring electrical systems in critical infrastructure. The flaw, tracked as CVE-2024-54017, stems from the use of insufficiently random numbers to generate session identifiers. This weakness could enable an unauthenticated remote attacker to brute-force a valid session ID, hijack user sessions, and gain unauthorized read access to sensitive information on the web server.
### Key Points
- Vulnerability: Weak random number generation in session identifiers (CVE-2024-54017, CVSS 5.3).
- Impact: Unauthenticated remote attackers can hijack sessions and access limited web server data.
- Affected Systems: Multiple SIPROTEC 5 device models and versions, primarily those running firmware versions below 11.0.
- Mitigation: Siemens recommends updating to V11.0 or later and implementing network security best practices.
- Critical Infrastructure Risk: Deployed worldwide in critical manufacturing sectors, including power grids.
Technical Details
#### Root Cause
The vulnerability arises from the predictable generation of session identifiers in SIPROTEC 5 devices. Session IDs are used to authenticate and maintain user sessions on the web interface. If these IDs are not sufficiently random, attackers can brute-force them to gain unauthorized access. In this case, the flaw affects only a subset of endpoints provided by the affected products, but the risk remains significant due to the critical nature of the systems involved.
#### Affected Versions
The following SIPROTEC 5 devices and firmware versions are affected by CVE-2024-54017:
| Device Model | Control Processor | Affected Versions |
|--------------------------------|-----------------------|-------------------------------------|
| SIPROTEC 5 6MD84 | CP300 | < 11.0 |
| SIPROTEC 5 6MD85 | CP200 | All versions |
| SIPROTEC 5 6MD85 | CP300 | ≥ 7.80, < 11.0 |
| SIPROTEC 5 6MD86 | CP200 | All versions |
| SIPROTEC 5 6MD86 | CP300 | ≥ 7.80, < 11.0 |
| SIPROTEC 5 6MD89 | CP300 | ≥ 7.80, < 11.0 |
| SIPROTEC 5 6MU85 | CP300 | ≥ 7.80, < 11.0 |
| SIPROTEC 5 7KE85 | CP200 | All versions |
| SIPROTEC 5 7KE85 | CP300 | ≥ 7.80, < 11.0 |
| SIPROTEC 5 7SA82 | CP100 | ≥ 7.80 |
| SIPROTEC 5 7SA82 | CP150 | < 11.0 |
| SIPROTEC 5 7SA84 | CP200 | All versions |
| SIPROTETec 5 7SA86 | CP300 | ≥ 7.80, < 11.0 |
| SIPROTEC 5 7SA87 | CP200 | All versions |
| SIPROTEC 5 7SA87 | CP300 | ≥ 7.80, < 11.0 |
| SIPROTEC 5 7SD82 | CP100 | ≥ 7.80 |
| SIPROTEC 5 7SD82 | CP150 | < 11.0 |
| SIPROTEC 5 7SD84 | CP200 | All versions |
| SIPROTEC 5 7SD86 | CP200 | All versions |
| SIPROTEC 5 7SD86 | CP300 | ≥ 7.80, < 11.0 |
| SIPROTEC 5 7SD87 | CP200 | All versions |
| SIPROTEC 5 7SD87 | CP300 | ≥ 7.80, < 11.0 |
| SIPROTEC 5 7SJ81 | CP100 | ≥ 7.80 |
| SIPROTEC 5 7SJ81 | CP150 | < 11.0 |
| SIPROTEC 5 7SJ82 | CP100 | ≥ 7.80 |
| SIPROTEC 5 7SJ82 | CP150 | < 11.0 |
| SIPROTEC 5 7SJ85 | CP200 | All versions |
| SIPROTEC 5 7SJ85 | CP300 | ≥ 7.80, < 11.0 |
| SIPROTEC 5 7SJ86 | CP200 | All versions |
| SIPROTEC 5 7SJ86 | CP300 | ≥ 7.80, < 11.0 |
| SIPROTEC 5 7SK82 | CP100 | ≥ 7.80 |
| SIPROTEC 5 7SK82 | CP150 | < 11.0 |
| SIPROTEC 5 7SK85 | CP200 | All versions |
| SIPROTEC 5 7SK85 | CP300 | ≥ 7.80, < 11.0 |
| SIPROTEC 5 7SL82 | CP100 | ≥ 7.80 |
| SIPROTEC 5 7SL82 | CP150 | < 11.0 |
| SIPROTEC 5 7SL86 | CP200 | All versions |
| SIPROTEC 5 7SL86 | CP300 | ≥ 7.80, < 11.0 |
| SIPROTEC 5 7SL87 | CP200 | All versions |
| SIPROTEC 5 7SL87 | CP300 | ≥ 7.80, < 11.0 |
| SIPROTEC 5 7SS85 | CP200 | All versions |
| SIPROTEC 5 7SS85 | CP300 | ≥ 7.80, < 11.0 |
| SIPROTEC 5 7ST85 | CP200 | All versions |
| SIPROTEC 5 7ST85 | CP300 | ≥ 7.80, < 11.0 |
| SIPROTEC 5 7ST86 | CP300 | < 11.0 |
| SIPROTEC 5 7SX82 | CP150 | < 11.0 |
| SIPROTEC 5 7SX85 | CP300 | < 11.0 |
| SIPROTEC 5 7SY82 | CP150 | < 11.0 |
| SIPROTEC 5 7UM85 | CP300 | ≥ 7.80, < 11.0 |
| SIPROTEC 5 7UT82 | CP100 | ≥ 7.80 |
| SIPROTEC 5 7UT82 | CP150 | < 11.0 |
| SIPROTEC 5 7UT85 | CP200 | All versions |
| SIPROTEC 5 7UT85 | CP300 | ≥ 7.80, < 11.0 |
| SIPROTEC 5 7UT86 | CP200 | All versions |
| SIPROTEC 5 7UT86 | CP300 | ≥ 7.80, < 11.0 |
| SIPROTEC 5 7UT87 | CP200 | All versions |
| SIPROTEC 5 7UT87 | CP300 | ≥ 7.80, < 11.0 |
| SIPROTEC 5 7VE85 | CP300 | ≥ 7.80, < 11.0 |
| SIPROTEC 5 7VK87 | CP200 | All versions |
| SIPROTEC 5 7VK87 | CP300 | ≥ 7.80, < 11.0 |
| SIPROTEC 5 7VU85 | CP300 | < 11.0 |
| SIPROTEC 5 Compact 7SX800 | CP050 | < 11.0 |
Impact Assessment
#### Potential Consequences
- Unauthorized Access: Attackers can hijack active sessions to gain access to sensitive operational data.
- Operational Disruption: While the flaw only allows read access, compromised sessions could be leveraged for further attacks, potentially disrupting industrial processes.
- Critical Infrastructure Risk: SIPROTEC 5 devices are deployed in power grids and critical manufacturing sectors worldwide. A successful attack could have cascading effects on energy distribution and industrial operations.
#### CVSS Metrics
- Base Score: 5.3 (Medium)
- Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
- Severity Breakdown:
- Attack Vector (AV): Network (exploitable remotely)
- Attack Complexity (AC): Low
- Privileges Required (PR): None
- User Interaction (UI): None
- Scope (S): Unchanged
- Confidentiality (C): Low
- Integrity (I): None
- Availability (A): None
Mitigation Steps
Siemens has outlined the following recommendations to mitigate the risk posed by CVE-2024-54017:
1. Apply Updates:
- Update affected devices to firmware version 11.0 or later as soon as patches are available.
- Refer to Siemens' official support pages for update instructions:
- SIPROTEC 5 Update Guide
- SIPROTEC 5 CP300 Update
- SIPROTEC 5 CP200 Update
2. Network Security:
- Minimize Network Exposure: Ensure control system devices are not accessible from the internet.
- Isolate Critical Systems: Locate control system networks behind firewalls and segment them from business networks.
- Use Secure Remote Access: If remote access is required, use Virtual Private Networks (VPNs) with the latest security updates.
3. Operational Guidelines:
- Follow Siemens' operational security guidelines to protect devices in industrial environments.
- Implement multi-level redundant protection schemes to enhance grid resilience and minimize the impact of cyber incidents.
4. Monitor for Exploitation:
- Monitor network traffic for unusual activity, such as repeated session ID requests, which may indicate brute-force attempts.
Conclusion
The CVE-2024-54017 vulnerability in Siemens SIPROTEC 5 devices highlights the ongoing risks faced by industrial control systems (ICS) in critical infrastructure. While the flaw is rated as medium severity, its potential impact on power grids and manufacturing sectors underscores the need for prompt patching and robust security measures.
Organizations using affected SIPROTEC 5 devices should prioritize updating to the latest firmware and implementing Siemens' recommended countermeasures. Additionally, adopting a defense-in-depth strategy—including network segmentation, secure remote access, and continuous monitoring—can significantly reduce the risk of exploitation.
For further inquiries, contact Siemens ProductCERT or visit their advisory page.
## References
[^1]: Siemens ProductCERT. "SSA-786884: SIPROTEC 5 Session Identifier Vulnerability". Retrieved 2024-05-15.
[^2]: CISA. "ICSA-26-134-13: Siemens SIPROTEC 5 Advisory". Retrieved 2024-05-15.
[^3]: MITRE. "CWE-334: Small Space of Random Values". Retrieved 2024-05-15.