Siemens SCALANCE XM-400 and XR-500 Devices
Plan Patch7.5ICS-CERT ICSA-21-131-10May 11, 2021
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
SCALANCE XM-400 and XR-500 devices contain a vulnerability in the OSPF protocol implementation. An unauthenticated remote attacker can craft malformed OSPF packets to cause a permanent denial-of-service condition on the switch. The vulnerability only affects devices with OSPF enabled (disabled by default). Siemens has released firmware v6.4 for both product families that corrects the issue.
What this means
What could happen
An attacker on the network could crash SCALANCE XM-400 or XR-500 switching devices if OSPF routing is enabled, causing a denial of service that would disrupt connectivity for any industrial systems using these switches as network infrastructure.
Who's at risk
Water and electric utilities that use SCALANCE XM-400 or XR-500 managed switches for industrial network connectivity. Anyone running OSPF routing on these switches is affected. The vulnerability impacts the plant network backbone that connects PLCs, HMIs, and remote terminal units (RTUs), making it critical for any facility using these Siemens switches for Layer 3 routing in the control system network.
How it could be exploited
An attacker with network access sends malformed OSPF protocol packets to the switch. If OSPF is enabled and the attacker knows the network topology, the malformed packets cause the OSPF process to crash permanently. The switch becomes unreachable and stops routing traffic.
Prerequisites
- Network access to the SCALANCE device (OSPF operates at Layer 3 and responds to network packets)
- OSPF routing must be enabled on the device (disabled by default)
- No credentials required to send OSPF packets if MD5 authentication is not configured
remotely exploitableno authentication required (if MD5 not enabled)low complexity attackaffects network availabilityhigh CVSS score (7.5)
Exploitability
Low exploit probability (EPSS 0.5%)
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
SCALANCE XM-400 Family<V6.46.4
SCALANCE XR-500 Family<V6.46.4
Remediation & Mitigation
0/6
Do now
0/2WORKAROUNDIf firmware upgrade cannot be done immediately, disable OSPF in the layer 3 configuration menu
WORKAROUNDIf OSPF must remain enabled, configure MD5 authentication with a strong password on all OSPF interfaces
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HOTFIXUpdate SCALANCE XM-400 to firmware v6.4 or later
HOTFIXUpdate SCALANCE XR-500 to firmware v6.4 or later
Long-term hardening
0/2HARDENINGSegment industrial network so these switches are not reachable directly from business network or Internet
HARDENINGImplement firewall rules to restrict access to network management interfaces and OSPF (port 89)
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/04c3a858-7c3a-42a4-ab8d-894fb9ceca98