Siemens SCALANCE X-200 Authentication Bypass Vulnerability
Low RiskICS-CERT ICSA-13-274-01Jul 4, 2013
Summary
SCALANCE X-200 and X-200IRT industrial Ethernet switches contain an authentication bypass vulnerability (CWE-592) in firmware versions prior to V4.5.0 and V5.1.0 respectively. The vulnerability allows unauthenticated attackers with network access to bypass authentication controls and gain unauthorized access to switch management functions, potentially allowing reconfiguration of network settings, modification of vlan assignments, or disruption of industrial network traffic. No firmware patches are available from Siemens; these are end-of-life product lines.
What this means
What could happen
An unauthenticated attacker with network access to the SCALANCE X-200 switch could bypass authentication controls and reconfigure network settings, potentially disrupting communication between critical control systems and plant field devices.
Who's at risk
Water utilities and electric utilities that rely on Siemens SCALANCE X-200 industrial Ethernet switches for control network connectivity. These switches are commonly used in manufacturing, water treatment plants, and power distribution to connect programmable logic controllers (PLCs), remote terminal units (RTUs), and SCADA systems. Vulnerability affects all X-200 family firmware versions prior to V4.5.0 and X-200IRT firmware prior to V5.1.0.
How it could be exploited
An attacker sends specially crafted requests to the switch management interface on the network. By bypassing the authentication mechanism (CWE-592), the attacker gains unauthorized access to configuration and management functions without providing valid credentials, allowing them to alter switch settings, access restricted information, or interrupt industrial network traffic.
Prerequisites
- Network access to the SCALANCE X-200 switch management interface (typically TCP port 80 or 443)
- The switch must be running vulnerable firmware versions (X-200 <V4.5.0 or X-200IRT <V5.1.0)
- No valid user credentials are required
Authentication bypass vulnerabilityRemotely exploitableNo authentication requiredLow attack complexityNo vendor patch available (end-of-life product line)Affects industrial network infrastructure
Exploitability
Moderate exploit probability (EPSS 1.5%)
Affected products (4)
4 EOL
ProductAffected VersionsFix Status
SCALANCE X-200 switch family firmware: <V4.5.0<V4.5.0No fix (EOL)
SCALANCE X-200IRT Isochronous Real-Time switch family firmware: <V5.1.0<V5.1.0No fix (EOL)
SCALANCE X-200IRT MLFBs: 6GK5201-3JR00-2BA6|6GK5204-0BA00-2BF2|6GK5204-0JA00-2BA6|6GK5202-2JR00-2BA6|6GK5202-2BH00-2BA3|6GK5201-3BH00-2BA3|6GK5200-4AH00-2BA3|6GK5202-2BB00-2BA3|6GK5204-0BA00-2BA36GK5201-3JR00-2BA6|6GK5204-0BA00-2BF2|6GK5204-0JA00-2BA6|6GK5202-2JR00-2BA6|6GK5202-2BH00-2BA3|6GK5201-3BH00-2BA3|6GK5200-4AH00-2BA3|6GK5202-2BB00-2BA3|6GK5204-0BA00-2BA3No fix (EOL)
SCALANCE X-200 MLFBs: 6GK5224-0BA00-2AA3|6GK5216-0BA00-2AA3|6GK5212-2BB00-2AA3|6GK5212-2BC00-2AA3|6GK5208-0BA10-2AA3|6GK5206-1BB10-2AA3|6GK5206-1BC10-2AA3|6GK5204-2BB10-2AA3|6GK5204-2BC10-2AA3|6GK5208-0HA10-2AA6|6GK5204-0BA00-2AF2|6GK5208-0BA00-2AF2|6GK5206-1BC00-2AF2|6GK5204-2BC00-2AF2|6GK5204-2BB10-2CA26GK5224-0BA00-2AA3|6GK5216-0BA00-2AA3|6GK5212-2BB00-2AA3|6GK5212-2BC00-2AA3|6GK5208-0BA10-2AA3|6GK5206-1BB10-2AA3|6GK5206-1BC10-2AA3|6GK5204-2BB10-2AA3|6GK5204-2BC10-2AA3|6GK5208-0HA10-2AA6|6GK5204-0BA00-2AF2|6GK5208-0BA00-2AF2|6GK5206-1BC00-2AF2|6GK5204-2BC00-2AF2|6GK5204-2BB10-2CA2No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2HARDENINGImplement network segmentation: restrict Layer 3 access to the SCALANCE X-200 switch management interface to only authorized engineering workstations or control network subnets using firewall rules or access control lists
WORKAROUNDDisable remote management protocols (HTTP/HTTPS) on the switch if not actively used; enable only when needed for local console or out-of-band management
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGIf available, enable IP address filtering or MAC-based access control on the switch to permit management traffic only from known engineering systems
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: SCALANCE X-200 switch family firmware: <V4.5.0, SCALANCE X-200IRT Isochronous Real-Time switch family firmware: <V5.1.0, SCALANCE X-200IRT MLFBs: 6GK5201-3JR00-2BA6|6GK5204-0BA00-2BF2|6GK5204-0JA00-2BA6|6GK5202-2JR00-2BA6|6GK5202-2BH00-2BA3|6GK5201-3BH00-2BA3|6GK5200-4AH00-2BA3|6GK5202-2BB00-2BA3|6GK5204-0BA00-2BA3, SCALANCE X-200 MLFBs: 6GK5224-0BA00-2AA3|6GK5216-0BA00-2AA3|6GK5212-2BB00-2AA3|6GK5212-2BC00-2AA3|6GK5208-0BA10-2AA3|6GK5206-1BB10-2AA3|6GK5206-1BC10-2AA3|6GK5204-2BB10-2AA3|6GK5204-2BC10-2AA3|6GK5208-0HA10-2AA6|6GK5204-0BA00-2AF2|6GK5208-0BA00-2AF2|6GK5206-1BC00-2AF2|6GK5204-2BC00-2AF2|6GK5204-2BB10-2CA2. Apply the following compensating controls:
HARDENINGMonitor switch logs and network access for unauthorized login attempts or configuration changes
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/1167a958-b0c8-4247-84b3-5e2ba0af62a3