Siemens SIRIUS Safety Relays and Modular Safety Systems Unencrypted Data Transmission Vulnerability

A vulnerability exists in Siemens SIRIUS 3RK3 Modular Safety System (MSS) and SIRIUS Safety Relays 3SK2, all versions, due to the absence of encryption for data in transit. This flaw allows an attacker with network access to intercept the connection and access sensitive information, including obfuscated safety passwords. These safety passwords are intended to protect against unauthorized operations but do not safeguard against malicious access attempts.

Impact

Exploitation of this vulnerability enables network eavesdropping, allowing interception of unencrypted data, including sensitive safety passwords, which could be de-obfuscated and misused.

Remediation

Siemens is working on fix versions for these vulnerabilities. In the meantime, it is recommended to limit physical access to affected devices to trusted personnel and ensure network isolation of the PROFINET interface to prevent access from unauthorized systems.