Siemens SCALANCE X (Update B)

Plan Patch7.1ICS-CERT ICSA-19-162-04Jun 11, 2019

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SCALANCE X-series industrial Ethernet switches contain an inadequate cryptographic strength vulnerability (CWE-257) that allows local attackers to read sensitive configuration data. The vulnerability affects SCALANCE X-200, X-200IRT, X-300, X-408, and X-414-3E switches. Configuration backups, archived configuration data, and configuration modules (C-PLUG) can be accessed by an attacker with local access, potentially exposing network architecture, credentials, or system settings. The SCALANCE X-414-3E has no patch planned and requires migration to newer product lines.

What this means

What could happen

An attacker with physical access to a Siemens SCALANCE switch can extract stored configuration data, which may contain sensitive network settings, credentials, or other information that could facilitate further compromise of the industrial network.

Who's at risk

Water utilities, electric utilities, and other critical infrastructure operators using Siemens SCALANCE X-series industrial Ethernet switches for network connectivity in control systems and SCADA networks. Specifically affects SCALANCE X-200, X-200IRT, X-300, X-408, and X-414-3E switch models.

How it could be exploited

An attacker with local access to the switch could read configuration backups, retrieve archived device configuration data through enabled retrieval mechanisms, or access the configuration via the C-PLUG module. The extracted configuration could reveal network topology, access credentials, or other sensitive data used to plan further attacks.

Prerequisites

Physical access to the switch
Access to configuration backup files or retrieval mechanisms
Possible access to C-PLUG module if installed

Affects industrial network switches (critical infrastructure)Local/physical access required (reduces but does not eliminate risk in facility environments)Low complexity attack if physical access is gainedNo patch available for SCALANCE X-414-3EConfiguration data exposure could enable lateral movement

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (4)

3 with fix1 EOL

ProductAffected VersionsFix Status

SCALANCE X-200 switch family (incl.'SIPLUS NET variants): All<V5.2.45.2.4

SCALANCE X-200IRT switch family (incl.'SIPLUS NET variants): All<V5.5.05.5.0

SCALANCE X-300 switch family (incl.'X408 and SIPLUS NET variants): All<V4.1.34.1.3

SCALANCE X-414-3E: All versionsAll versionsNo fix (EOL)

Remediation & Mitigation

0/7

Do now

0/3

WORKAROUNDRestrict physical and logical access to configuration backups and archived device configuration data

WORKAROUNDDisable or restrict network access to configuration retrieval mechanisms if not required for operations

HARDENINGRestrict physical access to the C-PLUG configuration module

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SCALANCE X-200 switches to firmware version 5.2.4 or later

HOTFIXUpdate SCALANCE X-200IRT switches to firmware version 5.5.0 or later

HOTFIXUpdate SCALANCE X-300 switches to firmware version 4.1.3 or later

Long-term hardening

0/1

HOTFIXFor SCALANCE X-414-3E (no patch available): Migrate to the SCALANCE XM-400 product line

CVEs (1)

CVE-2019-6567

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ad28b568-8e1b-40e9-8be7-30bd461d7bed