Siemens SCALANCE X Switches (Update B)
Plan Patch8.8ICS-CERT ICSA-20-014-03Jan 14, 2020
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary
Several SCALANCE X switches are affected by an authentication bypass vulnerability in the web configuration interface. An unauthenticated attacker can send a GET request to a specific URL to violate access-control rules, allowing them to obtain sensitive information or change device configuration. Affected products include SCALANCE X200RNA (HSR/PRP), X200RNA EEC variants, X300-series switches, X400-series, XR300-series, and SIPLUS NET variants.
What this means
What could happen
An attacker with network access to the switch's web interface could bypass authentication to read sensitive configuration data or modify network settings without entering a password, potentially disrupting industrial network connectivity or gaining unauthorized access to plant operations.
Who's at risk
This vulnerability affects water utilities and electrical utilities that use Siemens SCALANCE X switches for industrial network infrastructure. Plant operations staff should be concerned if these switches manage connectivity to PLCs, RTUs, SCADA servers, or remote I/O devices in water treatment, distribution, or power generation facilities. The switches are used in critical network segments for remote access, redundancy (HSR/PRP modes), and equipment communication across plant locations.
How it could be exploited
An attacker sends a crafted GET request to a specific URL on the switch's web configuration interface without providing credentials. The switch fails to validate authentication and grants access to protected functions, allowing the attacker to extract configuration data or change settings such as IP addresses, VLAN assignments, or access controls.
Prerequisites
- Network access to the switch's web-based management (WBM) interface on the default HTTP/HTTPS port
- The switch must have WBM enabled (default configuration)
- Knowledge of the specific vulnerable URL path
Remotely exploitable over networkNo authentication required for attackLow attack complexityAffects industrial network infrastructure connecting to critical control systemsPotentially allows modification of network routing and access controls
Exploitability
Low exploit probability (EPSS 0.7%)
Affected products (56)
56 with fix
ProductAffected VersionsFix Status
SCALANCE X204RNA (HSR)<V3.2.73.2.7
SCALANCE X204RNA (PRP)<V3.2.73.2.7
SCALANCE X204RNA EEC (HSR)<V3.2.73.2.7
SCALANCE X204RNA EEC (PRP)<V3.2.73.2.7
SCALANCE X204RNA EEC (PRP/HSR)<V3.2.73.2.7
Remediation & Mitigation
0/6
Do now
0/2WORKAROUNDDisable web-based management (WBM) and use SSH instead for device configuration
WORKAROUNDConfigure Access Control Lists (ACLs) to restrict web-based management access to trusted IP addresses only
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXUpdate SCALANCE X204RNA and X204RNA EEC variants to firmware version 3.2.7 or later
HOTFIXUpdate SCALANCE X300-series, X400-series, XR300-series, and SIPLUS NET SCALANCE X variants to firmware version 4.1.3 or later
Long-term hardening
0/2HARDENINGPlace network switches behind firewalls and isolate industrial control networks from business networks
HARDENINGMinimize network exposure of the switches; ensure they are not accessible from the Internet
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/d660e47a-ad21-44b1-9439-6b26667fa561