Siemens SCALANCE Products (Update A)

MonitorCVSS 6.6ICS-CERT ICSA-19-227-03Aug 13, 2019

Siemens

Attack path

Attack VectorPhysical

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

Siemens SCALANCE network switches contain an improper input validation vulnerability in SSH authentication handling that allows a user with valid credentials to escalate privileges and gain administrative access to the device. This affects multiple models running version 4.1 (XB-200, XC-200, XF-200BA, XP-200, XR-300WG) and version 2.0 (SC-600). An attacker exploiting this could read sensitive configuration, modify switch behavior, or disrupt network connectivity. Siemens has released firmware updates for all affected products.

What this means

What could happen

An attacker with local or network access to a SCALANCE network switch could gain elevated privileges and read sensitive configuration data, potentially allowing them to modify switch settings, intercept traffic, or disrupt network connectivity to critical control systems.

Who's at risk

This affects operators of Siemens SCALANCE managed network switches (XB, XC, XF, XP, XR, and SC series) used in industrial facilities to provide network connectivity for control systems, HMIs, and engineering stations. Network switches are critical infrastructure—if compromised, an attacker could eavesdrop on control communications, block alarms, or prevent legitimate commands from reaching PLCs and other devices.

How it could be exploited

An attacker would need to access the device via SSH (port 22/TCP) or physical access to the device. Once connected with user-level credentials, the attacker could exploit an improper input validation issue to escalate privileges on the device, gaining administrative access to read configuration files and modify network behavior.

Prerequisites

Network access to SSH port 22/TCP (or physical access to device console)
Valid user-level credentials for SSH authentication

Requires local network or physical accessUser credentials requiredAffects network infrastructure (single point of failure)Multiple products affectedNo patch available for older firmware versions

Exploitability

Unlikely to be exploited — EPSS score 0.6%

Affected products (6)

6 with fix

ProductAffected VersionsFix Status

SCALANCE XB-200: V4.1V4.1v4.2

SCALANCE XC-200: V4.1V4.1v4.2

SCALANCE XF-200BA: V4.1V4.1v4.2

SCALANCE XP-200: V4.1V4.1v4.2

SCALANCE XR-300WG: V4.1V4.1v4.2

SCALANCE SC-600: V2.0V2.0v2.0.1

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDRestrict network access to SSH port 22/TCP using firewall rules or access control lists; use built-in firewall on SC-600 if available

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SCALANCE XB-200, XC-200, XF-200BA, XP-200, and XR-300WG to firmware version 4.2

HOTFIXUpdate SCALANCE SC-600 to firmware version 2.0.1

Long-term hardening

0/2

HARDENINGRestrict physical access to the device console and ports

HARDENINGImplement network segmentation to isolate SCALANCE switches from untrusted networks; place these devices in a controlled, protected IT/OT environment

CVEs (2)

CVE-2019-10927 CVE-2019-10928

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2b0f555f-0f1a-48b4-8b4d-54d4c850763d

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.