Siemens SCALANCE W700 and W1700
Monitor6.5ICS-CERT ICSA-19-344-01Dec 10, 2019
Attack VectorAdjacent
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Siemens SCALANCE W700 and W1700 wireless network switches contain a weakness in WPA/WPA2 encryption implementation. When configured to use TKIP cipher instead of the more secure AES-CCMP, the switches allow attackers within wireless range to decrypt network traffic. The vulnerability does not affect switch operation itself, but can expose management traffic, credentials, or control system communications. Siemens recommends updating to firmware v6.4 (W700) or v1.1 (W1700) or switching to AES-CCMP encryption as an immediate mitigation.
What this means
What could happen
An attacker with wireless network access could decrypt encrypted WPA/WPA2 traffic to SCALANCE W700 and W1700 switches if they use TKIP encryption, potentially exposing sensitive control commands or network traffic. This vulnerability requires physical or proximate wireless range to exploit and does not directly impact switch operation itself.
Who's at risk
Water utilities and electric cooperatives using Siemens SCALANCE W700 or W1700 wireless network switches for remote site connectivity or industrial network management. Affects organizations relying on these switches for secure wireless communication to PLCs, RTUs, or other field devices.
How it could be exploited
An attacker within wireless range of the SCALANCE switch network could capture and decrypt WPA/WPA2-encrypted traffic if the network uses TKIP cipher instead of AES-CCMP. By analyzing the decrypted traffic, the attacker could recover sensitive information passed over the wireless network, such as management credentials or control commands.
Prerequisites
- Wireless network access within range of the SCALANCE switch
- WPA/WPA2 network configured with TKIP cipher (not the more secure AES-CCMP)
- Physical or proximate presence to the facility
TKIP encryption weaknesswireless attack surfaceno authentication required for network interceptionaffects network confidentiality
Exploitability
Moderate exploit probability (EPSS 1.1%)
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
SCALANCE W700: All<V6.46.4
SCALANCE W1700: All<V1.11.1
Remediation & Mitigation
0/5
Do now
0/1WORKAROUNDConfigure WPA/WPA2 networks to use AES-CCMP encryption instead of TKIP via the web-based management interface
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXUpdate SCALANCE W700 to firmware version 6.4 or later
HOTFIXUpdate SCALANCE W1700 to firmware version 1.1 or later
Long-term hardening
0/2HARDENINGRestrict wireless network access to trusted users only and segment control system networks from business networks
HARDENINGEnsure SCALANCE switches are not directly accessible from the Internet and place behind firewalls
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/cb58fc97-038a-40d3-90e5-b8c02aa39ea3