Siemens Industrial Products DROWN Vulnerability (Update C)

Act NowCVSS 4ICS-CERT ICSA-16-103-03CJan 14, 2016

SiemensManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

The DROWN vulnerability affects multiple Siemens industrial network switches: SCALANCE X300, X414, X200 (including IRT and RNA variants), and ROX I. These devices support the SSLv2 encryption protocol, which is cryptographically broken. An attacker can downgrade TLS connections to SSLv2, decrypt previously captured traffic, or read secrets from the device. This affects secure management interfaces used to configure and monitor these network switches. No firmware updates are available from Siemens for any affected product line.

What this means

What could happen

An attacker could eavesdrop on encrypted TLS/SSL communications to these industrial switches by exploiting a weak encryption fallback mechanism, potentially exposing sensitive control traffic or credentials used by engineering workstations and HMIs.

Who's at risk

Manufacturing facilities using Siemens SCALANCE industrial network switches (X300, X414, X200 families) and ROX I devices for plant network segmentation, data acquisition, or remote engineering access. This affects any plant that manages these switches remotely over encrypted connections and relies on them to protect sensitive control network traffic.

How it could be exploited

An attacker with network access to port 443 or other TLS-protected services on these industrial network switches can perform a man-in-the-middle attack by forcing the device to downgrade to the weak SSLv2 protocol (DROWN), then decrypt captured encrypted traffic offline using known SSLv2 weaknesses.

Prerequisites

Network access to TLS/SSL ports on the affected switch
Ability to intercept network traffic or position as man-in-the-middle
The switch must have SSLv2 enabled or supported

Remotely exploitableNo authentication required to attempt downgrade attackHigh EPSS score (90.3%)No patch available for any affected productAll versions of ROX I vulnerable

Exploitability

Likely to be exploited — EPSS score 90.4%

Metasploit module available — weaponized exploitView module ↗

Public Proof-of-Concept (PoC) on GitHub (1 repository)

Affected products (6)

6 EOL

ProductAffected VersionsFix Status

SCALANCE X300 family: <V4.1.0<V4.1.0No fix (EOL)

SCALANCE X414: <V3.10.2<V3.10.2No fix (EOL)

SCALANCE X200 IRT family: <V5.3.0<V5.3.0No fix (EOL)

SCALANCE X200 RNA family: <V3.2.5<V3.2.5No fix (EOL)

SCALANCE X200 family: <V5.2.2<V5.2.2No fix (EOL)

ROX I: vers:all/*All versionsNo fix (EOL)

Remediation & Mitigation

0/4

Do now

0/2

HARDENINGDisable SSLv2 and use TLS 1.2 or later on all industrial network switches through device configuration or firewall filtering

WORKAROUNDRestrict network access to management ports (port 443, HTTPS) on affected switches using firewall rules; only allow connections from authorized engineering workstations and management subnets

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HARDENINGMonitor network traffic for SSLv2 connection attempts to these devices and alert on downgrade attacks

Long-term hardening

0/1

HOTFIXReplace affected SCALANCE and ROX devices with newer models that support modern TLS versions when operationally feasible

CVEs (1)

CVE-2016-0800

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/131fdf01-32d1-41b8-a144-89c755be0c78

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.