Siemens Web Server of SCALANCE X200 (Update A)

Act Now9.8ICS-CERT ICSA-21-103-07Apr 13, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple SCALANCE X-200 industrial Ethernet switches contain buffer overflow vulnerabilities in the web server component (CWE-122, CWE-121). An attacker could remotely execute arbitrary code on the device by sending a specially crafted request to the web server (ports 80/HTTP or 443/HTTPS) without requiring authentication. This affects SCALANCE X200, X201, X202, X204, X206, X208, X212, X216, X224 series and XF-series models with firmware versions below 5.5.1 (for IRT variants) or 5.2.5 (for non-IRT variants).

What this means

What could happen

An attacker with network access to a SCALANCE X-200 switch's web server could execute arbitrary code on the device, potentially disrupting network operations or altering traffic routing in critical infrastructure networks like water systems or power grids.

Who's at risk

Water utilities, municipal electric utilities, and other critical infrastructure operators using SCALANCE X-200 series industrial Ethernet switches for network management in their operational technology (OT) environments. This includes facility networks, SCADA networks, and any deployment where these managed switches provide network connectivity for control systems or sensors.

How it could be exploited

An attacker connects to the web server (HTTP/HTTPS, ports 80 or 443) on an affected SCALANCE X-200 switch and sends a crafted request that exploits a buffer overflow in the web server code. This allows the attacker to overwrite memory and execute arbitrary commands on the switch, potentially giving them control over network traffic or device operations.

Prerequisites

Network access to the SCALANCE X-200 web server on port 80 (HTTP) or port 443 (HTTPS)
Device must be running a vulnerable firmware version (below 5.5.1 for IRT models, below 5.2.5 for non-IRT models)
No authentication credentials required

Remotely exploitableNo authentication requiredLow complexity attackCritical CVSS score (9.8)Buffer overflow vulnerability allows code executionAffects network infrastructure devices (switches)

Exploitability

Moderate exploit probability (EPSS 1.7%)

Affected products (29)

29 with fix

ProductAffected VersionsFix Status

SCALANCE X200-4P IRT<5.5.15.5.1

SCALANCE X201-3P IRT<5.5.15.5.1

SCALANCE X201-3P IRT PRO<5.5.15.5.1

SCALANCE X202-2 IRT<5.5.15.5.1

SCALANCE X202-2P IRT (incl. SIPLUS NET variant)<5.5.15.5.1

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDConfigure firewall rules to restrict traffic to the web server ports (80/TCP and 443/TCP) to only trusted management connections

HARDENINGIsolate SCALANCE X-200 switches from direct Internet access and place them behind firewalls

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

SCALANCE X200-4P IRT

HOTFIXUpgrade SCALANCE X200-4P IRT, X201-3P IRT, X201-3P IRT PRO, X202-2 IRT, X202-2P IRT, X202-2P IRT PRO, X204 IRT, X204 IRT PRO, XF201-3P IRT, XF202-2P IRT, XF204 IRT, and XF204-2BA IRT to firmware version 5.5.1 or later

All products

HOTFIXUpgrade SCALANCE X204-2, X204-2FM, X204-2LD, X204-2LD TS, X204-2TS, X206-1, X206-1LD, X208, X208PRO, X212-2, X212-2LD, X216, X224, XF204, XF204-2, XF206-1, and XF208 to firmware version 5.2.5 or later

Long-term hardening

0/1

HARDENINGSegment the network to separate the SCALANCE switches from the business network

CVEs (2)

CVE-2021-25668 CVE-2021-25669

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0caa18be-f514-4e55-a019-cab348bf10c6