Siemens SCALANCE X Switches, RUGGEDCOM WiMAX, RFID 181-EIP, and SIMATIC RF182C (Update D)

Plan Patch7.5ICS-CERT ICSA-18-165-01Jun 12, 2018

Attack VectorAdjacent

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

These Siemens industrial switches and RFID readers contain a buffer overflow vulnerability in how they process network packets. An attacker with access to the same network segment can send specially crafted packets that trigger improper memory allocation, causing the device to malfunction or potentially execute commands. The vulnerability affects managed Ethernet switches used to interconnect PLCs and field devices in industrial plants, as well as RFID asset-tracking systems. SCALANCE X-200, X-200IRT, X-200RNA, X-300, and X408 switches are vulnerable in all firmware versions prior to their respective fixed versions. RUGGEDCOM WiMAX devices running versions 4.4 through 5.1 are affected. SIMATIC RF182C and RFID 181-EIP are end-of-life products; Siemens is not issuing patches and recommends migration to successor RF18xC/CI products version 1.3 or later. SCALANCE X-414 has no patch available.

What this means

What could happen

An attacker on the same network segment could write malformed data to memory in these switches and RFID devices, potentially causing them to malfunction, disconnect from the network, or execute code. This could interrupt communications between PLCs, field devices, and engineering workstations, disrupting plant operations.

Who's at risk

Siemens switch and RFID device operators, including municipal water and electric utilities, who deploy SCALANCE X-200, X-200IRT, X-200RNA, X-300, X408 industrial Ethernet switches; RUGGEDCOM WiMAX devices; or SIMATIC RF182C and RFID 181-EIP RFID readers in control networks. Any facility using these devices for network connectivity or asset tracking in industrial environments should review their inventory.

How it could be exploited

An attacker with access to the same Layer 2 network segment (e.g., an engineering VLAN or compromised device on a network) sends specially crafted packets to the switch or RFID device. Because authentication is not required, the switch processes the malformed data, triggering a buffer overflow condition in memory management. This could cause the device to crash or, with high skill, allow code execution on the device.

Prerequisites

Network access to the same Layer 2 network segment as the affected device (adjacency required)
No authentication or credentials needed
Device must be operating and responding to network traffic
High attacker skill level to trigger controlled exploitation

Remotely exploitable from same network segment (Layer 2 adjacency)No authentication requiredHigh skill required for exploitationEnd-of-life products (RFID 181EIP, SIMATIC RF182C) with no fix availableSCALANCE X-414 has no fix availableLow EPSS score but buffer overflow can cause denial of service or code execution

Exploitability

Low exploit probability (EPSS 0.6%)

Affected products (9)

6 with fix3 EOL

ProductAffected VersionsFix Status

RFID 181EIP: All versionsAll versionsNo fix (EOL)

RUGGEDCOM Win: V4.4, V4.5, V5.0, V5.1V4.4|V4.5|V5.0|V5.1v5.2

SCALANCE X-200 switch family (incl.'SIPLUS NET variants): All<V5.2.3v5.2.3

SCALANCE X-200RNA switch family: All<V3.2.6v5.2.3

SCALANCE X-300 switch family (incl.'SIPLUS NET variants): All<V4.1.3v4.1.3

SCALANCE X408: All<V4.1.3v4.1.3

SCALANCE X414: All versionsAll versionsNo fix (EOL)

SIMATIC RF182C: All versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/9

Do now

0/1

WORKAROUNDConfigure switches and RFID devices to use static IP addresses instead of DHCP to reduce exposure during device initialization

Schedule — requires maintenance window

0/6

Patching may require device reboot — plan for process interruption

HOTFIXUpdate RUGGEDCOM Win to version 5.2 or later

HOTFIXUpdate SCALANCE X-200 to version 5.2.3 or later

HOTFIXUpdate SCALANCE X-200 IRT to version 5.4.1 or later

HOTFIXUpdate SCALANCE X-200 RNA to version 3.2.6 or later

HOTFIXUpdate SCALANCE X-300 and X408 to version 4.1.3 or later

HOTFIXMigrate SIMATIC RF182C and RFID 181EIP to successor products in the SIMATIC RF18xC/CI family, version 1.3 or later

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: RFID 181EIP: All versions, SCALANCE X414: All versions, SIMATIC RF182C: All versions. Apply the following compensating controls:

HARDENINGApply cell protection concept: restrict network access to switch management interfaces and RFID devices to only authorized engineering workstations

HARDENINGImplement network segmentation: isolate industrial switches and RFID infrastructure on separate VLANs from business network and ensure devices are not Internet-accessible

CVEs (1)

CVE-2018-4833

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6b7379ce-3aea-49f9-a3d9-d6e11728a01c