Siemens SCALANCE W700 and W1700

MonitorCVSS 6.5ICS-CERT ICSA-19-344-01Dec 10, 2019

Siemens

Attack path

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Siemens SCALANCE W700 and W1700 wireless network switches contain a weakness in WPA/WPA2 encryption implementation. When configured to use TKIP cipher instead of the more secure AES-CCMP, the switches allow attackers within wireless range to decrypt network traffic. The vulnerability does not affect switch operation itself, but can expose management traffic, credentials, or control system communications. Siemens recommends updating to firmware v6.4 (W700) or v1.1 (W1700) or switching to AES-CCMP encryption as an immediate mitigation.

What this means

What could happen

An attacker with wireless network access could decrypt encrypted WPA/WPA2 traffic to SCALANCE W700 and W1700 switches if they use TKIP encryption, potentially exposing sensitive control commands or network traffic. This vulnerability requires physical or proximate wireless range to exploit and does not directly impact switch operation itself.

Who's at risk

Water utilities and electric cooperatives using Siemens SCALANCE W700 or W1700 wireless network switches for remote site connectivity or industrial network management. Affects organizations relying on these switches for secure wireless communication to PLCs, RTUs, or other field devices.

How it could be exploited

An attacker within wireless range of the SCALANCE switch network could capture and decrypt WPA/WPA2-encrypted traffic if the network uses TKIP cipher instead of AES-CCMP. By analyzing the decrypted traffic, the attacker could recover sensitive information passed over the wireless network, such as management credentials or control commands.

Prerequisites

Wireless network access within range of the SCALANCE switch
WPA/WPA2 network configured with TKIP cipher (not the more secure AES-CCMP)
Physical or proximate presence to the facility

TKIP encryption weaknesswireless attack surfaceno authentication required for network interceptionaffects network confidentiality

Exploitability

Some exploitation risk — EPSS score 1.1%

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

SCALANCE W700: All<V6.46.4

SCALANCE W1700: All<V1.11.1

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDConfigure WPA/WPA2 networks to use AES-CCMP encryption instead of TKIP via the web-based management interface

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SCALANCE W700 to firmware version 6.4 or later

HOTFIXUpdate SCALANCE W1700 to firmware version 1.1 or later

Long-term hardening

0/2

HARDENINGRestrict wireless network access to trusted users only and segment control system networks from business networks

HARDENINGEnsure SCALANCE switches are not directly accessible from the Internet and place behind firewalls

CVEs (1)

CVE-2018-14526

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/cb58fc97-038a-40d3-90e5-b8c02aa39ea3

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.