Siemens SCALANCE and RUGGEDCOM Devices SSH (Update A)
Plan Patch8.6ICS-CERT ICSA-21-068-02Mar 9, 2021
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A vulnerability in the SSH authentication implementation of SCALANCE and RUGGEDCOM network devices allows an attacker to cause a denial of service by sending a specially crafted SSH authentication request. When the device processes the malformed request, the SSH service crashes and the device becomes unresponsive. This affects RUGGEDCOM RM1224 V6.3, SCALANCE M-800 V6.3, SCALANCE S615 V6.3, and SCALANCE SC-600 versions 2.1.x before 2.1.3. No valid credentials are required; the attacker only needs network access to the SSH port.
What this means
What could happen
An attacker with network access to the SSH port could send a specially crafted authentication request to crash the device, causing a denial of service that would interrupt network connectivity and control communications for that switch or gateway.
Who's at risk
Network switch and gateway devices used in industrial networks: Siemens SCALANCE M-800 (industrial managed switches), SCALANCE S615 (industrial switches), SCALANCE SC-600 (industrial managed switches), and RUGGEDCOM RM1224 (rugged industrial gateways used in power and water utilities). Any organization using these products for network infrastructure in critical operations.
How it could be exploited
An attacker on the network sends a malformed SSH authentication packet to port 22 on the affected device. The SSH service crashes when it processes the invalid authentication, causing the device to become unresponsive. The attacker does not need valid credentials or any interaction from an operator.
Prerequisites
- Network access to the device on SSH port 22 (TCP/22)
- No valid credentials required
- Device must be running vulnerable firmware version (V6.3 for SCALANCE M-800/S615/RUGGEDCOM RM1224, or V2.1.x before 2.1.3 for SCALANCE SC-600)
remotely exploitableno authentication requiredlow complexity attackaffects network infrastructure used in critical operationscan cause denial of service interrupting control system communications
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (4)
4 with fix
ProductAffected VersionsFix Status
RUGGEDCOM RM1224V6.36.4
SCALANCE M-800V6.36.4
SCALANCE S615V6.36.4
SCALANCE SC-600≥ V2.1 and <V2.1.32.1.3
Remediation & Mitigation
0/5
Do now
0/1WORKAROUNDConfigure the built-in firewall on affected devices to allow SSH connections only from trusted engineering/management IP addresses
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
RUGGEDCOM RM1224
HOTFIXUpdate RUGGEDCOM RM1224 to firmware v6.4 or later
SCALANCE M-800
HOTFIXUpdate SCALANCE M-800 and SCALANCE S615 to firmware v6.4 or later
SCALANCE SC-600
HOTFIXUpdate SCALANCE SC-600 to firmware v2.1.3 or later
Long-term hardening
0/1HARDENINGSegment the network so that these devices are not directly reachable from untrusted network segments or the Internet
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/fae372f0-214a-45f2-850c-25b5457aef51