ICSA-18-317-04 Siemens SCALANCE S
Monitor4.7ICS-CERT ICSA-18-317-04Nov 13, 2018
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionRequired
Summary
SCALANCE S industrial switches contain a cross-site scripting (XSS) vulnerability in the web-based administration interface. An attacker can inject malicious scripts that execute when an authorized administrator visits a specially crafted link while managing the device. This could allow unauthorized modification of device settings or theft of administrator credentials. The vulnerability affects SCALANCE S602, S612, S623, and S627-2M models running firmware versions prior to 4.0.1.1.
What this means
What could happen
An attacker could inject malicious scripts into the SCALANCE S web administration interface, allowing them to manipulate device settings or intercept administrator credentials if an authorized user visits a malicious link from a compromised device.
Who's at risk
Network administrators and operations staff at water utilities and power authorities who manage SCALANCE S612, S623, S627-2M, or S602 industrial switches used for secure network segmentation in control system environments.
How it could be exploited
An attacker crafts a malicious link containing injected script code and tricks an authorized administrator into clicking it while managing the SCALANCE S device through the web browser. When the link is opened in the same browser session used to access the device's administration interface, the injected script executes in the context of that session, enabling credential theft or unauthorized configuration changes.
Prerequisites
- Access to the SCALANCE S web administration interface from a browser
- Administrator must visit a malicious link from an untrusted source while the browser session to the device is active
- Browser configured to allow JavaScript execution
Remotely exploitable via web browserRequires user interaction (social engineering)Low complexity attackHigh skill level needed to craft effective payloadLow EPSS score indicates minimal practical exploit probability
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (4)
4 with fix
ProductAffected VersionsFix Status
SCALANCE S602<V4.0.1.1V4.0.1.1
SCALANCE S612<V4.0.1.1V4.0.1.1
SCALANCE S623<V4.0.1.1V4.0.1.1
SCALANCE S627-2M<V4.0.1.1V4.0.1.1
Remediation & Mitigation
0/4
Do now
0/1WORKAROUNDInstruct administrative staff to only access the SCALANCE S web interface from trusted links and avoid clicking links from untrusted sources while managing the device
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
SCALANCE S602
HOTFIXUpdate SCALANCE S602, S612, S623, and S627-2M to firmware version 4.0.1.1 or later
Long-term hardening
0/2HARDENINGRestrict network access to the SCALANCE S administration web interface using firewall rules to authorized management workstations only
HARDENINGSegment the SCALANCE S devices onto a separate management network not accessible from general user workstations or the internet
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/ae933b65-586c-48ce-aa09-b55787decdd2