Siemens SIRIUS Safety Relays and Modular Safety Systems Weak Password Obfuscation Vulnerability

A vulnerability exists in Siemens SIRIUS 3RK3 Modular Safety System (MSS) and SIRIUS Safety Relays 3SK2, all versions. The issue stems from weak password obfuscation, allowing an attacker with network access to retrieve and de-obfuscate safety passwords. These passwords are intended to protect against inadvertent operating errors but do not safeguard against malicious access attempts.

Impact

Exploitation of this vulnerability allows for the retrieval and de-obfuscation of safety passwords, which could lead to unauthorized operation by bypassing safeguards against inadvertent operating errors.

Remediation

Siemens is preparing fixed versions for these products. In the meantime, it is recommended to limit physical access to affected devices, ensure network isolation of the PROFINET interface from unauthorized systems, and follow Siemens' operational guidelines for Industrial Security.