Siemens SCALANCE X Products (Update B)

Plan PatchCVSS 9.8ICS-CERT ICSA-21-012-05Jan 12, 2021

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SCALANCE X-200, X-200IRT, and X-300 managed switches contain buffer and heap overflow vulnerabilities in their web server. An unauthenticated attacker on the network can send a crafted request to trigger a reboot or denial-of-service condition. Affected products are SCALANCE X-200 switches (including SIPLUS NET variants) with firmware below v5.2.5, SCALANCE X-200IRT switches (including SIPLUS NET variants) with firmware below v5.5.0, and SCALANCE X-300 switches (including X408 and SIPLUS NET variants) with firmware below v4.1.0.

What this means

What could happen

An attacker could reboot or cause denial-of-service conditions on the SCALANCE X switches, which would disrupt communication between your PLC, HMI, and network devices and potentially stop operations until the switch recovers.

Who's at risk

Water utilities and municipal electric utilities that use Siemens SCALANCE X-200, X-200IRT, or X-300 managed switches for network communication between PLCs, RTUs, HMIs, and remote sites should prioritize this update. Any critical control system that depends on network connectivity for operations could be impacted by switch reboot or unavailability.

How it could be exploited

An unauthenticated attacker with network access to the switch's web server (port 443/TCP) could send a crafted request that exploits heap or buffer overflow vulnerabilities to trigger a reboot or crash the device.

Prerequisites

Network access to the switch's HTTPS port (443/TCP)
No credentials required

remotely exploitableno authentication requiredlow complexityaffects network infrastructure (switches)

Exploitability

Unlikely to be exploited — EPSS score 0.7%

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

SCALANCE X-200 switch family (incl. SIPLUS NET variants)<V5.2.55.2.5

SCALANCE X-200IRT switch family (incl. SIPLUS NET variants)<V5.5.05.5.0

SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants)<V4.1.04.1.0

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDConfigure firewall rules to restrict HTTPS access (port 443/TCP) to the switches to only trusted engineering workstations and management stations

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SCALANCE X-200 switches (including SIPLUS NET variants) to firmware version 5.2.5 or later

HOTFIXUpdate SCALANCE X-200IRT switches (including SIPLUS NET variants) to firmware version 5.5.0 or later

HOTFIXUpdate SCALANCE X-300 switches (including X408 and SIPLUS NET variants) to firmware version 4.1.0 or later

Long-term hardening

0/1

HARDENINGSegment your control network so SCALANCE X switches are not directly reachable from your corporate IT network or the Internet

CVEs (3)

CVE-2020-15799 CVE-2020-15800 CVE-2020-25226

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/b1f11924-d0a1-404a-a2e3-3181fcb9fc9e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.