Memory Corruption Vulnerability in Siemens EN100 Ethernet Modules
CVE-2022-30937

7.5HIGH

Key Information:

Vendor
Siemens
Status
En100 Ethernet Module Dnp3 Ip Variant
En100 Ethernet Module Iec 104 Variant
En100 Ethernet Module Iec 61850 Variant
En100 Ethernet Module Modbus Tcp Variant
Vendor
CVE Published:
14 June 2022

Summary

A memory corruption vulnerability exists in various Siemens EN100 Ethernet modules when processing specially crafted HTTP packets sent to the /txtrace endpoint. Successful exploitation of this vulnerability could lead to application crashes, resulting in a denial of service. All versions of affected modules, including those for DNP3, IEC 104, Modbus TCP, and PROFINET IO, are susceptible, with particular versions of the IEC 61850 module being especially at risk. Users are advised to implement mitigation strategies to protect their network infrastructures.

Affected Version(s)

EN100 Ethernet module DNP3 IP variant All versions

EN100 Ethernet module IEC 104 variant All versions

EN100 Ethernet module IEC 61850 variant All versions < V4.37

References

https://cert-portal.siemens.com/productcert/pdf/ssa-69355...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.