Siemens SCALANCE, RUGGEDCOM

Act Now9.8ICS-CERT ICSA-20-224-04Aug 11, 2020

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Siemens RUGGEDCOM RM1224 and SCALANCE M-800 contain a buffer overflow vulnerability (CWE-120) in PPP (Point-to-Point Protocol) functionality. The flaw allows remote code execution when PPP is enabled, exploitable by a malicious peer on the network without authentication. The vulnerability affects all versions before 6.3.

What this means

What could happen

An attacker with network access to a device using PPP could execute arbitrary code on the device, potentially altering network routing, disabling communications, or compromising connectivity for critical SCADA and industrial automation systems.

Who's at risk

Water and utility operators using Siemens RUGGEDCOM RM1224 (hardened industrial switches) or SCALANCE M-800 managed switches for SCADA networks. The risk is particularly high for sites using PPP dial-in connectivity for remote management or point-to-point WAN links.

How it could be exploited

An attacker sends a malformed packet to the affected device's PPP interface. If PPP is enabled, the buffer overflow occurs without requiring authentication, allowing the attacker to inject and execute commands on the device.

Prerequisites

PPP (Point-to-Point Protocol) functionality must be enabled on the device
Network-reachable PPP interface or dial-in access
No authentication required for PPP peer connection

remotely exploitableno authentication requiredlow complexityhigh EPSS score (65.4%)affects industrial network switches and routers

Exploitability

High exploit probability (EPSS 65.4%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

RUGGEDCOM RM1224: All<V6.36.3

SCALANCE M-800 / S615: All<V6.36.3

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDDisable PPP functionality on devices where it is not required for operations

WORKAROUNDIf PPP must remain enabled, restrict PPP connections to trusted peers and trusted networks only

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate RUGGEDCOM RM1224 to firmware version 6.3 or later

HOTFIXUpdate SCALANCE M-800 to firmware version 6.3 or later

HARDENINGImplement firewall rules to restrict network access to device management interfaces and PPP ports to authorized networks only

Long-term hardening

0/1

HARDENINGSegment industrial network switches from untrusted networks and implement network access controls

CVEs (1)

CVE-2020-8597

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/32ae776a-77c3-4e31-8594-46aed8085984