Siemens SCALANCE X (Update D)
Monitor5.4ICS-CERT ICSA-19-085-01Mar 12, 2019
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
A vulnerability in SCALANCE X network switches allows an attacker to inject traffic into a network via the mirror port when the monitor barrier feature is enabled. This bypasses the intended isolation of mirrored traffic, potentially allowing an attacker to send crafted packets into the network segment being monitored. The vulnerability affects multiple models across the SCALANCE X200, X300, X400, XB, XC, XF, XP, and XR product lines.
What this means
What could happen
An attacker on a mirrored network segment could inject malicious traffic into the monitored network, potentially compromising connected industrial devices or disrupting normal operations. This could allow manipulation of control logic or data on devices connected to the affected switch.
Who's at risk
Water utilities and electric utilities with SCALANCE X managed switches in their network infrastructure, particularly those using port mirroring for network monitoring or traffic capture on industrial network segments. This affects anyone using these switches to connect and isolate critical control networks (SCADA systems, RTU networks, PLC communications).
How it could be exploited
An attacker would need to be connected to a network port that is mirrored to the monitor (mirror) port when the monitor barrier feature is enabled. The attacker would then send crafted packets to the mirror port, which would be forwarded into the monitored network segment, bypassing the intended traffic isolation. This allows injection of arbitrary frames into the production network.
Prerequisites
- Access to a network port that is configured as a mirror source port
- Monitor barrier feature must be enabled on the mirror port
- Ability to craft and send Layer 2 frames to the mirror port
Remotely exploitable from mirrored network segmentLow attack complexityNo authentication required if attacker has network accessAffects network infrastructure connecting safety systemsDefault behavior (monitor barrier) may be enabled
Exploitability
Low exploit probability (EPSS 0.5%)
Affected products (117)
117 with fix
ProductAffected VersionsFix Status
SCALANCE X224<V5.2.65.2.6
SCALANCE X302-7 EEC (230V, coated)<V4.1.34.1.3
SCALANCE X302-7 EEC (230V)<V4.1.34.1.3
SCALANCE X302-7 EEC (24V, coated)<V4.1.34.1.3
SCALANCE X302-7 EEC (24V)<V4.1.34.1.3
Remediation & Mitigation
0/4
Do now
0/1WORKAROUNDDisable the monitor barrier feature if port mirroring is not actively in use, or restrict physical access to mirror ports in the network closet
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
SCALANCE X204-2
HOTFIXUpdate SCALANCE X204-2, X204-2FM, X204-2LD, X204-2LD TS, X204-2TS, X206-1, X206-1LD, X208, X208PRO, X212-2, X212-2LD, X216, and X224 to firmware version 5.2.6 or later
All products
HOTFIXUpdate all other affected SCALANCE X models (X302-7 EEC, X304-2FE, X306-1LD FE, X307-x, X308-x, X310, X320-1, X408-2, XB20x, XB21x, XC20x, XC21x, XF20x, XP20x, XR32x, SIPLUS NET variants) to firmware version 4.1.3 or 4.1 (depending on model) or later
Long-term hardening
0/1HARDENINGImplement network access controls and port security to prevent unauthorized devices from connecting to mirror source ports
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/afa6b549-b50c-4548-80ea-8680d0e8b8e6