Siemens SCALANCE LPE9403 Third-Party Vulnerabilities

Act Now9.8ICS-CERT ICSA-22-167-09Jun 14, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities in third-party components (CivetWeb, Docker, Linux Kernel, systemd) in SCALANCE LPE9403 devices running firmware versions prior to 2.0 could allow remote code execution and compromise of confidentiality, integrity, and availability. The vulnerabilities include path traversal (CWE-22), incorrect access control (CWE-665, CWE-281, CWE-732), resource exhaustion (CWE-770), and information disclosure (CWE-200).

What this means

What could happen

An attacker with network access could execute commands on the SCALANCE LPE9403 device, potentially accessing sensitive network data, modifying device configuration or firewall rules, or disrupting network connectivity for critical industrial systems.

Who's at risk

Network device administrators managing Siemens SCALANCE LPE9403 Ethernet protection appliances in industrial networks, particularly those used in water authorities, electric utilities, and manufacturing facilities to provide perimeter security and network segmentation.

How it could be exploited

An attacker on the network sends specially crafted requests targeting third-party component vulnerabilities in the device's web interface or services. No authentication is required. Successful exploitation allows arbitrary code execution on the device with the privileges of the running service, potentially leading to full device compromise.

Prerequisites

Network reachability to the SCALANCE LPE9403 device on HTTP/HTTPS ports
Device running firmware version prior to 2.0

Remotely exploitableNo authentication requiredLow complexity attackActively exploited (KEV)High EPSS score (82.7%)Affects network infrastructure

Exploitability

Actively exploited — confirmed by CISA KEV

Affected products (1)

ProductAffected VersionsFix Status

SCALANCE LPE9403<V2.02.0

Remediation & Mitigation

0/3

Do now

0/2

HOTFIXUpdate SCALANCE LPE9403 firmware to version 2.0 or later

WORKAROUNDRestrict network access to the SCALANCE LPE9403 management interface using firewall rules and access control lists

Long-term hardening

0/1

HARDENINGSegment industrial network to limit exposure of the device to untrusted networks

CVEs (10)

CVE-2020-27304 CVE-2021-20317 CVE-2021-33910 CVE-2021-36221 CVE-2021-39293 CVE-2021-41089 CVE-2021-41091 CVE-2021-41092 CVE-2021-41103 CVE-2022-0847

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f526f0f7-a1b3-4abd-bb8f-85d0fc8ced06