ICSA-19-225-03_Siemens SCALANCE X Switches (Update D)
Plan PatchCVSS 8.6ICS-CERT ICSA-19-225-03Aug 13, 2019
Siemens
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Siemens SCALANCE X-200 and X-200IRT managed Ethernet switches contain a denial-of-service vulnerability in the telnet service that allows an unauthenticated, remote attacker to crash or cause unresponsive behavior in the switch, disrupting network connectivity and potentially affecting downstream control devices.
What this means
What could happen
An attacker can remotely crash a SCALANCE switch or make it unresponsive, cutting off network access to connected PLCs, RTUs, and field devices. This could halt manufacturing, water treatment, or electrical distribution until the device restarts.
Who's at risk
Water authorities, electric utilities, and manufacturing facilities using Siemens SCALANCE X-200 or X-200IRT managed switches as backbone network infrastructure. These switches typically connect PLCs, RTUs, field devices, and operator workstations. Any critical process relying on network connectivity to these devices is at risk.
How it could be exploited
An attacker sends specially crafted packets to the telnet service (port 23/TCP) on the SCALANCE switch. No credentials or authentication are required. The malformed input triggers an unhandled exception or resource exhaustion, causing the switch to become unresponsive or reboot.
Prerequisites
- Network access to port 23/TCP (telnet service) on the SCALANCE switch
- Telnet service must be enabled (default configuration)
remotely exploitableno authentication requiredlow complexity attackcauses denial of serviceaffects network infrastructure that supports safety systems
Exploitability
Unlikely to be exploited — EPSS score 0.4%
Affected products (8)
2 with fix6 EOL
ProductAffected VersionsFix Status
SCALANCE X-200 switch family (incl. SIPLUS NET variants)< V5.2.55.2.5
SCALANCE X-200IRT switch family (incl. SIPLUS NET variants)< V5.5.05.5.0
SCALANCE X204RNA (HSR)All versionsNo fix (EOL)
SCALANCE X204RNA (PRP)All versionsNo fix (EOL)
SCALANCE X204RNA EEC (HSR)All versionsNo fix (EOL)
SCALANCE X204RNA EEC (PRP)All versionsNo fix (EOL)
SCALANCE X204RNA EEC (PRP/HSR)All versionsNo fix (EOL)
SCALANCE X-200RNA: All versionsAll versionsNo fix (EOL)
Remediation & Mitigation
0/5
Do now
0/2WORKAROUNDDisable telnet service on affected SCALANCE switches and use SSH instead
WORKAROUNDRestrict network access to port 23/TCP on SCALANCE switches using firewall rules or access control lists
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXUpdate SCALANCE X-200 switch family to firmware v5.2.5 or later
HOTFIXUpdate SCALANCE X-200IRT switch family to firmware v5.5.0 or later
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: SCALANCE X204RNA (HSR), SCALANCE X204RNA (PRP), SCALANCE X204RNA EEC (HSR), SCALANCE X204RNA EEC (PRP), SCALANCE X204RNA EEC (PRP/HSR), SCALANCE X-200RNA: All versions. Apply the following compensating controls:
HARDENINGIsolate control system network containing SCALANCE switches from the business network using a firewall boundary
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/c3634eb1-797e-48d6-928a-a19b9d33c75fGet OT security insights every Tuesday
Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.