Siemens SCALANCE S-600 (Update B)

Plan PatchCVSS 7.5ICS-CERT ICSA-20-042-10Feb 11, 2020

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The SCALANCE S-600 family switches (S602, S612, S623, S627-2M) running firmware versions 3.0 through 4.0 contain web application vulnerabilities (CWE-80 Cross-Site Scripting, CWE-400 Uncontrolled Resource Consumption) in the management interface. These vulnerabilities allow remote attackers to conduct denial-of-service attacks against the switch or perform cross-site scripting attacks via the administrative web interface. Successful exploitation could render the switch unavailable or allow an attacker to execute actions in the administrator's browser context, potentially leading to unauthorized configuration changes or credential theft.

What this means

What could happen

An attacker could cause the SCALANCE S-600 switch to become unavailable (denial of service) or inject malicious scripts that execute in the administrator's browser, potentially leading to unauthorized configuration changes.

Who's at risk

Water utilities, municipalities, and industrial facilities using SCALANCE S-600 series managed switches (S602, S612, S623, S627-2M) for network infrastructure in control system environments should apply this update. These are commonly deployed in Siemens automation networks for plant communication and data acquisition.

How it could be exploited

An attacker with network access to the SCALANCE S-600 management interface (typically port 80/443) could send specially crafted HTTP requests to trigger a denial-of-service condition, or craft a malicious link that, when clicked by an administrator accessing the device's web interface, injects JavaScript to steal credentials or modify switch settings.

Prerequisites

Network reachability to the SCALANCE S-600 web management interface (HTTP/HTTPS)
For XSS exploitation, the administrator must click a malicious link or visit a compromised page while managing the device

remotely exploitableno authentication required for DoS attacklow complexity attackaffects network infrastructure supporting OT operations

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

SCALANCE S602≥ V3.0 and <V4.14.1

SCALANCE S612≥ V3.0 and <V4.14.1

SCALANCE S623≥ V3.0 and <V4.14.1

SCALANCE S627-2M≥ V3.0 and <V4.14.1

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict network access to the SCALANCE S-600 management interface using firewall rules to trusted engineering networks and workstations only

WORKAROUNDTrain administrators to avoid clicking links from untrusted sources when managing SCALANCE S-600 devices and to only access the management interface directly by IP or hostname

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

SCALANCE S602

HOTFIXUpdate SCALANCE S602, S612, S623, and S627-2M firmware to version 4.1 or later

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate the management VLAN of SCALANCE S-600 devices from general corporate networks and untrusted internet access

CVEs (3)

CVE-2019-6585 CVE-2019-13925 CVE-2019-13926

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/dd383f63-9438-4ac9-9513-79dfb845b6c7

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.