Siemens SCALANCE (Update A)

Plan PatchCVSS 9.1ICS-CERT ICSA-22-223-07Aug 9, 2022

Siemens

Attack path

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

SCALANCE devices contain multiple vulnerabilities that allow authenticated remote attackers to execute custom code or trigger XSS conditions, and allow unauthenticated remote attackers to create denial of service conditions. Affected product lines include M-series routers (ADSL, SHDSL, mobile cellular), S-series managed switches, SC-series industrial switches, W-series wireless access points, X-series managed industrial switches, and RUGGEDCOM devices. Siemens has released patches for most affected products; however, several W-series wireless models have no fix available.

What this means

What could happen

An authenticated attacker could execute arbitrary commands on SCALANCE network devices, potentially disrupting plant network connectivity, rerouting traffic, or isolating critical control systems. Unauthenticated attackers could cause denial of service by flooding the device, knocking it offline and interrupting communications between control systems and field equipment.

Who's at risk

Municipal water and electric utilities using Siemens SCALANCE industrial network devices for plant control and monitoring systems. Specifically affects network infrastructure connecting PLCs, RTUs, IEDs, and remote access points used in water treatment, distribution, power generation, and substation automation. The advisory covers multiple device classes: cellular/ADSL WAN routers for remote plant connectivity, managed industrial switches for LAN backbone, wireless access points for mobile engineering access, and specialized models for hazardous or outdoor installations.

How it could be exploited

An authenticated attacker with network access to the device's web interface (port 80/443) or management API could inject malicious code into a request to achieve remote code execution. An unauthenticated attacker could send specially crafted network traffic to the device to trigger a resource exhaustion condition, causing the device to become unresponsive and disconnecting all attached network segments from each other and the corporate network.

Prerequisites

Network access to affected SCALANCE device on ports 80/TCP or 443/TCP
Valid administrative or user account credentials for authenticated code execution
No special network configuration or authentication required for denial of service attacks

Remotely exploitableAffects network infrastructure with broad operational impactMultiple severity levels including code executionNo fix available for multiple W-series wireless modelsAffects both authenticated and unauthenticated attack vectorsLarge number of affected product variants increases inventory complexity

Exploitability

Some exploitation risk — EPSS score 1.5%

Affected products (154)

126 with fix28 pending

ProductAffected VersionsFix Status

SCALANCE M812-1 ADSL-Router (Annex B)<V7.1.27.1.2

SCALANCE M816-1 ADSL-Router (Annex A)<V7.1.27.1.2

SCALANCE M816-1 ADSL-Router (Annex B)<V7.1.27.1.2

SCALANCE M826-2 SHDSL-Router<V7.1.27.1.2

SCALANCE M874-2<V7.1.27.1.2

Remediation & Mitigation

0/9

Do now

0/1

WORKAROUNDRestrict network access to SCALANCE devices to ports 80/TCP and 443/TCP from trusted management IP addresses and authorized personnel only via firewall rules

Schedule — requires maintenance window

0/6

Patching may require device reboot — plan for process interruption

SCALANCE S615

HOTFIXUpdate SCALANCE S615 and SC-series industrial switches (SC622-2C, SC626-2C, SC632-2C, SC636-2C, SC642-2C, SC646-2C) to firmware version 2.3.1 or later

All products

HOTFIXUpdate SCALANCE M-series routers (M812-1, M816-1, M826-2, M874-2, M874-3, M876-3, M876-4, MUM853-1, MUM856-1, M804PB) and RUGGEDCOM RM1224 LTE to firmware version 7.1.2 or later

HOTFIXUpdate SCALANCE XC and XF-series switches (XC206, XC208, XC216, XC224, XF204 variants) and SIPLUS NET SCALANCE variants to firmware version 4.4 or later

HOTFIXUpdate SCALANCE XM-series and XR-series managed switches (XM408-4C, XM408-8C, XM416-4C, XR552-12M, XR524-8C, XR526-8C, XR528-6M variants) to firmware version 6.6 or later

HOTFIXUpdate SCALANCE WAM and WUM wireless access points (WAM763-1, WAM766-1, WUM763-1, WUM766-1 variants) to firmware version 2.0 or later

HOTFIXUpdate SCALANCE XB-series and XP-series switches (XB205-3, XB208, XB213-3, XB216, XP208, XP216, XR324WG, XR326-2C PoE WG, XR328-4C WG variants) to firmware version 4.4 or later

Long-term hardening

0/2

HARDENINGApply the principle of least privileges to all administrative accounts configured on affected SCALANCE devices; disable or remove unnecessary accounts

HARDENINGConfigure SCALANCE devices in a protected network environment following Siemens operational security guidelines and product manuals

CVEs (3)

CVE-2022-36323 CVE-2022-36324 CVE-2022-36325

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/74d80ab8-03d3-4704-a3f7-ab78c7715b04

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.