Siemens Scalance X200 IRT Multiple Vulnerabilities

Low RiskICS-CERT ICSA-13-169-01Mar 21, 2013

Summary

The Siemens Scalance X200 IRT family of industrial managed switches contains multiple vulnerabilities in input validation (CWE-20) and authentication bypass mechanisms (CWE-602). Affected devices running firmware below V5.1.0 can be exploited to bypass access controls or trigger denial of service conditions through malformed network packets. The vulnerabilities affect the X204IRT, X204IRT PRO, X202-2IRT, X202-2P IRT, X202-2P IRT PRO, X201-3P IRT, X201-3P IRT PRO, X200-4P IRT, and XF204IRT models.

What this means

What could happen

An attacker with network access to a vulnerable Scalance X200 IRT switch could send specially crafted network packets to bypass access controls or cause the device to fail, potentially disrupting communication between field devices and control systems in your facility.

Who's at risk

This affects industrial network switches (Scalance X200 IRT series) used in water treatment, power distribution, and manufacturing facilities to connect field devices like sensors, PLCs, and RTUs to control networks. Any facility using these switches for real-time or safety-critical communications should review their environment.

How it could be exploited

An attacker on the same network as the switch sends malformed packets or specially crafted requests that exploit input validation flaws (CWE-20) or bypass authentication checks (CWE-602). The switch processes these packets incorrectly, either granting unauthorized access or causing a denial of service that cuts off data flow between PLCs, RTUs, and your control room.

Prerequisites

Network access to the Scalance X200 IRT switch
The switch is running firmware version below V5.1.0

No patch available for most versionsMultiple authentication/input validation flawsAffects network switching infrastructureLow exploit probability but multiple pathways

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (9)

9 with fix9 EOL

ProductAffected VersionsFix Status

SCALANCE X204IRT: <V5.1.0<V5.1.0V5.1.0

SCALANCE X202-2IRT: <V5.1.0<V5.1.0V5.1.0

SCALANCE X202-2P IRT: <V5.1.0<V5.1.0V5.1.0

SCALANCE X201-3P IRT: <V5.1.0<V5.1.0V5.1.0

SCALANCE X201-3P IRT PRO: <V5.1.0<V5.1.0V5.1.0

SCALANCE X200-4P IRT: <V5.1.0<V5.1.0V5.1.0

SCALANCE XF204IRT: <V5.1.0<V5.1.0V5.1.0

SCALANCE X204IRT PRO: <V5.1.0<V5.1.0V5.1.0

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGIsolate vulnerable Scalance X200 IRT switches from untrusted networks using a firewall or network segmentation; restrict access to management and data ports to authorized engineering workstations and control systems only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXIf available, upgrade SCALANCE X200 IRT switches to firmware V5.1.0 or later in a planned maintenance window

Mitigations - no patch available

0/1

The following products have reached End of Life with no planned fix: SCALANCE X204IRT: <V5.1.0, SCALANCE X202-2IRT: <V5.1.0, SCALANCE X202-2P IRT: <V5.1.0, SCALANCE X201-3P IRT: <V5.1.0, SCALANCE X201-3P IRT PRO: <V5.1.0, SCALANCE X200-4P IRT: <V5.1.0, SCALANCE XF204IRT: <V5.1.0, SCALANCE X204IRT PRO: <V5.1.0, SCALANCE X202-2P IRT PRO: <V5.1.0. Apply the following compensating controls:

HARDENINGMonitor network traffic to and from the switch for suspicious packets or unusual access attempts; set up alerts for failed authentication or connection attempts

CVEs (2)

CVE-2013-3633 CVE-2013-3634

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7b105436-57ae-4de5-bd3e-c6232e5a448a