OTPulse

Siemens SCALANCE and SIMATIC (Update H)

Plan PatchCVSS 7.5ICS-CERT ICSA-20-105-07Apr 14, 2020
SiemensManufacturing
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

A vulnerability in the TCP stack of Siemens SCALANCE switches and SIMATIC communication processors can be exploited by remote attackers to trigger expensive computation on every incoming packet. This causes denial of service by exhausting device CPU resources and rendering the device unable to forward traffic or process commands. The vulnerability affects multiple SCALANCE switch families (X-200IRT, XF-200, X-200, X-300, XR-300 series) and SIMATIC communication processors (CP 442-1 RNA, CP 443-1 variants). Several products have no updates available and require migration or network-based mitigation.

What this means
What could happen
An attacker with network access to affected switches or communication processors can send specially crafted packets that force expensive computation on every incoming packet, consuming CPU and causing the device to stop responding (denial of service). This would disrupt network connectivity for plant control systems, automation networks, or remote I/O.
Who's at risk
This affects Siemens SCALANCE industrial Ethernet switches (X-200, X-300, XR-300, XF-200 series) and SIMATIC communication processors (CP 442-1, CP 443-1 variants, and RF18xC RFID readers) used in manufacturing plants, water treatment facilities, and power distribution networks. Any facility using these switches for critical automation networks, PLC communication, or remote device connectivity is at risk.
How it could be exploited
An attacker sends a series of specifically crafted TCP packets to an affected switch or communication processor. The TCP stack processes each packet in an expensive way, consuming CPU resources. Repeated or continuous packets overwhelm the device, making it unable to forward traffic or respond to legitimate commands until rebooted.
Prerequisites
  • Network-layer access to the device (direct connection to the same subnet or routed path through your network)
  • No credentials or authentication required
Remotely exploitableNo authentication requiredLow complexityAffects network infrastructure (switches and communications gateways)No patch available for SIMATIC CP 343-1 Advanced, SIMATIC RF180C, SIMATIC RF182C, SIPLUS NET CP 343-1 Advanced
Exploitability
Unlikely to be exploited — EPSS score 0.5%
Affected products (90)
86 with fix4 pending
ProductAffected VersionsFix Status
SCALANCE X202-2P IRT PRO<V5.5.05.5.0
SCALANCE X204-2<V5.2.55.2.5
SCALANCE X200-4P IRT<V5.5.05.5.0
SCALANCE X201-3P IRT<V5.5.05.5.0
SCALANCE X201-3P IRT PRO<V5.5.05.5.0
Remediation & Mitigation
0/9
Do now
0/2
HARDENINGPlace switches and communication processors on isolated control network behind firewall; restrict network access with ACLs to allow only legitimate traffic between engineering workstations, PLCs, and remote I/O
HARDENINGEnsure devices are not directly accessible from the Internet; use firewall rules to block external access to device management ports
Schedule — requires maintenance window
0/5

Patching may require device reboot — plan for process interruption

SIMATIC CP 443-1
HOTFIXUpdate SIMATIC CP 443-1 and CP 443-1 Advanced to firmware version 3.3 or later
SIMATIC CP 442-1 RNA
HOTFIXUpdate SIMATIC CP 442-1 RNA and CP 443-1 RNA to firmware version 1.5.18 or later
All products
HOTFIXUpdate SCALANCE X-200IRT and XF200 switch families to firmware version 5.5.0 or later
HOTFIXUpdate SCALANCE X-200 and XF200 switch families to firmware version 5.2.5 or later
HOTFIXUpdate SCALANCE X300 and XR300 switch families to firmware version 4.1.4 or later
Long-term hardening
0/2
HOTFIXFor SIMATIC RF180C and RF182C (no fixes available): migrate to SIMATIC RF18xC/CI family version 1.3 or later
HARDENINGIf remote access to devices is necessary, use VPN and limit access to authorized engineering or operations staff only
View full CISA ICS-CERT advisory
API: /api/v1/advisories/f68b2f66-0c63-420c-b592-14f491e9225c

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.