Siemens SCALANCE and RUGGEDCOM Devices
Plan Patch8.6ICS-CERT ICSA-22-286-08Oct 11, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Denial of service vulnerability in the TCP event interface of Siemens SCALANCE and RUGGEDCOM network devices. An unauthenticated remote attacker can send specially crafted packets to the TCP Event Service port (default 26864/TCP) to render affected devices unusable. The TCP Event feature is not active by default.
What this means
What could happen
An attacker on your network can crash these routers and industrial switches, temporarily disrupting network connectivity for production equipment and causing process downtime until the device is rebooted.
Who's at risk
Operators of water utilities, electric utilities, and other critical infrastructure who use Siemens SCALANCE industrial switches and routers (M-series, S-series, WAM, WUM models) and RUGGEDCOM RM1224 LTE cellular routers for OT network connectivity. These are commonly used in substations, remote sites, and process networks to connect PLCs, RTUs, and SCADA terminals.
How it could be exploited
An attacker on your network (or Internet if the device is exposed) sends crafted TCP packets to port 26864/TCP on any affected device where the TCP Event feature has been enabled. The device crashes and becomes unavailable, disrupting network traffic for connected PLCs, sensors, and other control equipment.
Prerequisites
- Network access to TCP port 26864/TCP on the affected device
- TCP Event feature must be explicitly enabled (not enabled by default)
remotely exploitableno authentication requiredlow complexityaffects network availability for critical control systemshigh CVSS score (8.6)
Exploitability
Low exploit probability (EPSS 1.0%)
Affected products (26)
26 with fix
ProductAffected VersionsFix Status
RUGGEDCOM RM1224 LTE(4G) EU<V7.1.27.1.2
RUGGEDCOM RM1224 LTE(4G) NAM<V7.1.27.1.2
SCALANCE M804PB<V7.1.27.1.2
SCALANCE M812-1 ADSL-Router<V7.1.27.1.2
SCALANCE M816-1 ADSL-Router<V7.1.27.1.2
Remediation & Mitigation
0/17
Do now
0/2WORKAROUNDDisable the TCP Event feature if it is not required for your operations
WORKAROUNDRestrict access to TCP port 26864/TCP using firewall rules to only trusted networks and IP addresses that legitimately need to use the TCP Event feature
Schedule — requires maintenance window
0/14Patching may require device reboot — plan for process interruption
RUGGEDCOM RM1224 LTE(4G) EU
HOTFIXUpdate RUGGEDCOM RM1224 LTE(4G) EU to firmware version 7.1.2 or later
RUGGEDCOM RM1224 LTE(4G) NAM
HOTFIXUpdate RUGGEDCOM RM1224 LTE(4G) NAM to firmware version 7.1.2 or later
SCALANCE M804PB
HOTFIXUpdate SCALANCE M804PB to firmware version 7.1.2 or later
SCALANCE M812-1 ADSL-Router
HOTFIXUpdate SCALANCE M812-1 ADSL-Router to firmware version 7.1.2 or later
SCALANCE M816-1 ADSL-Router
HOTFIXUpdate SCALANCE M816-1 ADSL-Router to firmware version 7.1.2 or later
SCALANCE M826-2 SHDSL-Router
HOTFIXUpdate SCALANCE M826-2 SHDSL-Router to firmware version 7.1.2 or later
SCALANCE M874-2
HOTFIXUpdate SCALANCE M874-2 to firmware version 7.1.2 or later
SCALANCE M874-3
HOTFIXUpdate SCALANCE M874-3 to firmware version 7.1.2 or later
SCALANCE M876-3
HOTFIXUpdate SCALANCE M876-3 to firmware version 7.1.2 or later
SCALANCE M876-4
HOTFIXUpdate SCALANCE M876-4 to firmware version 7.1.2 or later
SCALANCE WAM763-1
HOTFIXUpdate SCALANCE WAM763-1, WAM766-1, WUM763-1, and WUM766-1 wireless access points to firmware version 3.0.0 or later
All products
HOTFIXUpdate SCALANCE MUM853-1 to firmware version 7.1.2 or later
HOTFIXUpdate SCALANCE MUM856-1 to firmware version 7.1.2 or later
HOTFIXUpdate SCALANCE S615 to firmware version 7.1.2 or later
Long-term hardening
0/1HARDENINGEnsure affected network devices are located behind firewalls and isolated from untrusted networks and the Internet
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/96242b9e-693d-4261-9b25-e617013b3797