OTPulse
FeedAboutContact

Siemens SCALANCE XM-400 and XR-500

Monitor5.9ICS-CERT ICSA-22-167-10Jun 14, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary

SCALANCE XM-400 and XR-500 managed switches contain a flaw in the OSPF (Open Shortest Path First) protocol implementation. An unauthenticated attacker on the network can send a specially crafted OSPF packet that causes the device to mishandle the data, resulting in network disruptions or loss of routing connectivity. The vulnerability only exists when OSPF is enabled on the device; OSPF is disabled by default. The attack has high complexity and requires network access to the device.

What this means
What could happen
An attacker can disrupt network communication by exploiting a flaw in the OSPF routing protocol implementation, causing interruptions to industrial network connectivity and potentially halting data flow between devices on your network.
Who's at risk
Network administrators managing Siemens SCALANCE XM-400 and XR-500 series managed switches used in industrial networks and data centers. These devices are commonly deployed in manufacturing, water treatment, power distribution, and other critical infrastructure to connect and route data between control systems.
How it could be exploited
An attacker on the network sends a specially crafted OSPF protocol packet to a SCALANCE device with OSPF enabled. The device processes the malformed packet incorrectly, causing it to stop responding to routing updates or drop network connections.
Prerequisites
  • Network access to the SCALANCE device (direct or routed)
  • OSPF protocol enabled on the target device (disabled by default)
  • High attack complexity (difficult to execute)
remotely exploitableno authentication required (for OSPF packets)low attack complexity (once on network)high availability impact (network disruption)
Exploitability
Low exploit probability (EPSS 0.4%)
Affected products (25)
25 with fix
ProductAffected VersionsFix Status
SCALANCE XR524-8C, 1x230V (L3 int.)<V6.56.5
SCALANCE XR524-8C, 2x230V<V6.56.5
SCALANCE XR524-8C, 2x230V (L3 int.)<V6.56.5
SCALANCE XR524-8C, 24V<V6.56.5
SCALANCE XR524-8C, 24V (L3 int.)<V6.56.5
Remediation & Mitigation
0/4
Do now
0/2
WORKAROUNDIf OSPF is enabled, configure MD5 authentication on the OSPF interface with a strong password
WORKAROUNDDisable OSPF in the Layer 3 configuration menu if OSPF is not required for your network design
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all SCALANCE XM-400 and XR-500 devices to firmware version 6.5 or later
Long-term hardening
0/1
HARDENINGRestrict network access to management ports on SCALANCE devices using firewall rules or access control lists
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/15bfaba0-8b9f-41b1-869d-c59138f332be
Siemens SCALANCE XM-400 and XR-500 | CVSS 5.9 - OTPulse