Siemens SCALANCE X Switch Devices

Plan Patch9.6ICS-CERT ICSA-22-195-01Jul 12, 2022

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple SCALANCE X switch devices contain buffer overflow and heap overflow vulnerabilities in the web server component. An unauthenticated attacker with network access to the device's HTTP/HTTPS ports can send specially crafted requests to trigger the overflow condition, resulting in denial of service (device reboot) or potential arbitrary code execution on the switch. The vulnerabilities reside in CWE-330 (Use of Insufficiently Random Values) and CWE-120 (Buffer Copy without Checking Size of Input).

What this means

What could happen

An attacker with network access to the web interface (ports 80/443) could reboot these switches or cause denial-of-service conditions, disrupting communication between control devices on your network. Heap and buffer overflows could allow arbitrary code execution on the switch hardware itself.

Who's at risk

Water utilities, electric utilities, and manufacturing facilities that rely on Siemens SCALANCE X managed switches for industrial network communication. These devices are typically used to isolate and manage traffic between PLCs, RTUs, HMIs, and engineering workstations. Interruption of these switches could prevent communication between control devices and disrupt SCADA operations.

How it could be exploited

An attacker on your network (or reachable via the internet if port 80/443 is exposed) sends a crafted request to the SCALANCE X switch web interface. No authentication is required. The malformed input triggers a buffer or heap overflow in the web server, allowing the attacker to crash the switch (DOS) or potentially execute arbitrary commands on the device.

Prerequisites

Network access to the SCALANCE X switch on port 80/TCP (HTTP) or port 443/TCP (HTTPS)
No authentication required
Web server must be enabled on the switch (default configuration)

Remotely exploitable via network port 80/443No authentication requiredLow complexity attackHigh CVSS score (9.6)Affects industrial network infrastructure

Exploitability

Moderate exploit probability (EPSS 1.5%)

Affected products (29)

29 with fix

ProductAffected VersionsFix Status

SCALANCE X201-3P IRT PRO<V5.5.25.5.2

SCALANCE X202-2IRT<V5.5.25.5.2

SCALANCE X202-2P IRT<V5.5.25.5.2

SCALANCE X202-2P IRT PRO<V5.5.25.5.2

SCALANCE X204-2<V5.2.65.2.6

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict network access to ports 80 and 443 on all SCALANCE X switches to trusted IP addresses only using firewall rules or access control lists

WORKAROUNDDisable the web server on SCALANCE X switches if the web interface is not required for your operations

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate affected SCALANCE X switches to version 5.5.2 (for X201-3P IRT PRO, X202 series, X204IRT, XF201-3P IRT, XF202-2P IRT, XF204-2BA IRT, XF204IRT, X200-4P IRT, X201-3P IRT) or version 5.2.6 (for X204, X206, X208, X212, X216, X224, XF204 series)

Long-term hardening

0/1

HARDENINGSegment SCALANCE X switches onto a dedicated industrial network separated from IT networks and the internet using firewalls or managed switches

CVEs (3)

CVE-2022-26647 CVE-2022-26648 CVE-2022-26649

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/d34f7ecc-daf4-4d4a-b0e9-de2b54ec9073