Siemens SCALANCE and RUGGEDCOM Devices SSH (Update A)

Plan PatchCVSS 8.6ICS-CERT ICSA-21-068-02Mar 9, 2021

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A vulnerability in the SSH authentication implementation of SCALANCE and RUGGEDCOM network devices allows an attacker to cause a denial of service by sending a specially crafted SSH authentication request. When the device processes the malformed request, the SSH service crashes and the device becomes unresponsive. This affects RUGGEDCOM RM1224 V6.3, SCALANCE M-800 V6.3, SCALANCE S615 V6.3, and SCALANCE SC-600 versions 2.1.x before 2.1.3. No valid credentials are required; the attacker only needs network access to the SSH port.

What this means

What could happen

An attacker with network access to the SSH port could send a specially crafted authentication request to crash the device, causing a denial of service that would interrupt network connectivity and control communications for that switch or gateway.

Who's at risk

Network switch and gateway devices used in industrial networks: Siemens SCALANCE M-800 (industrial managed switches), SCALANCE S615 (industrial switches), SCALANCE SC-600 (industrial managed switches), and RUGGEDCOM RM1224 (rugged industrial gateways used in power and water utilities). Any organization using these products for network infrastructure in critical operations.

How it could be exploited

An attacker on the network sends a malformed SSH authentication packet to port 22 on the affected device. The SSH service crashes when it processes the invalid authentication, causing the device to become unresponsive. The attacker does not need valid credentials or any interaction from an operator.

Prerequisites

Network access to the device on SSH port 22 (TCP/22)
No valid credentials required
Device must be running vulnerable firmware version (V6.3 for SCALANCE M-800/S615/RUGGEDCOM RM1224, or V2.1.x before 2.1.3 for SCALANCE SC-600)

remotely exploitableno authentication requiredlow complexity attackaffects network infrastructure used in critical operationscan cause denial of service interrupting control system communications

Exploitability

Unlikely to be exploited — EPSS score 0.3%

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

RUGGEDCOM RM1224V6.36.4

SCALANCE M-800V6.36.4

SCALANCE S615V6.36.4

SCALANCE SC-600≥ V2.1 and <V2.1.32.1.3

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDConfigure the built-in firewall on affected devices to allow SSH connections only from trusted engineering/management IP addresses

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

RUGGEDCOM RM1224

HOTFIXUpdate RUGGEDCOM RM1224 to firmware v6.4 or later

SCALANCE M-800

HOTFIXUpdate SCALANCE M-800 and SCALANCE S615 to firmware v6.4 or later

SCALANCE SC-600

HOTFIXUpdate SCALANCE SC-600 to firmware v2.1.3 or later

Long-term hardening

0/1

HARDENINGSegment the network so that these devices are not directly reachable from untrusted network segments or the Internet

CVEs (1)

CVE-2021-25676

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/fae372f0-214a-45f2-850c-25b5457aef51

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.