Siemens SCALANCE X Switches (Update B)
Monitor4.2ICS-CERT ICSA-20-042-07Feb 11, 2020
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionRequired
Summary
SCALANCE X and S-series managed switches contain a cross-site request forgery (CSRF) vulnerability in the web management interface. An attacker can trick an administrator into clicking a malicious link while the administrator has an authenticated session to the switch. The attacker can then perform administrative actions such as changing switch configuration, port settings, or VLAN assignments. The vulnerability affects SCALANCE X-200, X-200IRT, X-300, and X-200RNA families, as well as S602, S612, S623, and S627-2M models. No direct authentication to the switch is needed by the attacker. Siemens has released firmware updates for X-series switches; S-series updates are available only through Siemens Support and target products are end-of-life.
What this means
What could happen
An attacker could trick an administrator into clicking a malicious link while logged into a switch's management interface, allowing the attacker to perform administrative actions without needing valid credentials. This could result in unauthorized network configuration changes, such as port blocking, routing changes, or VLAN manipulation that disrupts communication between plant equipment.
Who's at risk
Network switch administrators and operators at water utilities, electric utilities, and manufacturing plants who manage Siemens SCALANCE X and S-series managed switches. Critical for facilities where network switch misconfiguration could isolate control system subnets or interrupt communication between PLCs, RTUs, and the SCADA master station.
How it could be exploited
The attacker crafts a malicious website and tricks a switch administrator (via email, social engineering, or forum post) into clicking a link. If the administrator has an active authenticated session to the switch's web management interface in the same browser, the attacker's site can make unauthorized requests (CSRF attack) to modify switch configuration. No direct network access to the switch is needed; the attacker just needs to get the administrator to visit their website.
Prerequisites
- Administrator must have an active authenticated session to the switch's web management interface
- Administrator must be tricked into visiting an attacker-controlled website while logged in
- Browser must allow cross-site requests to the switch management interface (default configuration)
Remotely exploitable via social engineering (phishing)No authentication to the attacker's malicious site requiredRequires user interaction (clicking a link) and existing admin sessionLow attack complexityEPSS score very low (0.3%)No patch available for S-series products (end-of-life, contact Siemens Support only)
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (8)
8 with fix
ProductAffected VersionsFix Status
SCALANCE S602<V4.14.1
SCALANCE S612<V4.14.1
SCALANCE S623<V4.14.1
SCALANCE S627-2M<V4.14.1
SCALANCE X-200 switch family (incl. SIPLUS NET variants)<5.2.45.2.4
SCALANCE X-200IRT switch family (incl. SIPLUS NET variants)<V5.5.05.5.0
SCALANCE X-200RNA switch family<V3.2.73.2.7
SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants)<4.1.34.1.3
Remediation & Mitigation
0/8
Do now
0/2WORKAROUNDInstruct switch administrators to only click web links from trusted sources when using browsers that have active sessions to switch management interfaces
WORKAROUNDUse separate browser instances or sessions: one for accessing switch management, one for general web browsing
Schedule — requires maintenance window
0/5Patching may require device reboot — plan for process interruption
SCALANCE S602
HOTFIXContact Siemens Support to obtain and apply updates for SCALANCE S602, S612, S623, and S627-2M to version 4.1
All products
HOTFIXUpdate SCALANCE X-200 switches to firmware version 5.2.4 or later
HOTFIXUpdate SCALANCE X-200IRT switches to firmware version 5.5.0 or later
HOTFIXUpdate SCALANCE X-300 switches (including X408) to firmware version 4.1.3 or later
HOTFIXUpdate SCALANCE X-200RNA switches to firmware version 3.2.7 or later
Long-term hardening
0/1HARDENINGRestrict network access to switch management interfaces using firewall rules or access control lists to permit only authorized engineering workstations or jump hosts
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/c93ad104-b71f-4eb3-ba3d-67a4af5c3bc5