Siemens SCALANCE X-200RNA Switch Devices

Plan PatchCVSS 8.8ICS-CERT ICSA-22-349-02Dec 13, 2022

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

SCALANCE X204RNA Ethernet switch devices contain multiple vulnerabilities in input validation, resource handling, and session management. Versions before 3.2.7 are affected. The vulnerabilities allow remote attackers to cause denial of service, extract sensitive configuration data or credentials, or hijack authenticated user sessions to the management interface. The device management web interface (ports 80/443) and SNMP service (port 161) are the primary attack vectors. No public exploits are known at this time.

What this means

What could happen

An attacker could cause the switch to stop processing network traffic, extract configuration or password data from the device, or hijack admin sessions to gain unauthorized control of network connectivity in your industrial network.

Who's at risk

Water and electric utilities operating Siemens SCALANCE X204RNA Ethernet switches for network redundancy or process connectivity. This includes facilities using HSR (High-availability Seamless Redundancy) or PRP (Parallel Redundancy Protocol) configurations, and those with EEC (Extended Ethernet Connectivity) modules.

How it could be exploited

An attacker on the network sends a malicious request to the SCALANCE X204RNA switch's web interface (port 80/443) or SNMP service (port 161). Due to insufficient input validation and weak session management, the request causes a denial of service, leaks sensitive data from memory, or allows the attacker to intercept and manipulate existing admin sessions.

Prerequisites

Network access to the SCALANCE X204RNA switch
Access to at least one of: ports 80/TCP, 443/TCP, 161/UDP, or 22/TCP
No authentication required for some vulnerabilities
User interaction may be required for session hijacking attacks

Remotely exploitableNo authentication required for some vectorsLow attack complexityAffects network infrastructure that supports critical control systemsHigh CVSS score (8.8)Multiple vulnerability types (DoS, information disclosure, session hijacking)

Exploitability

Some exploitation risk — EPSS score 2.0%

Affected products (5)

5 with fix

ProductAffected VersionsFix Status

SCALANCE X204RNA (HSR)<V3.2.73.2.7

SCALANCE X204RNA (PRP)<V3.2.73.2.7

SCALANCE X204RNA EEC (HSR)<V3.2.73.2.7

SCALANCE X204RNA EEC (PRP)<V3.2.73.2.7

SCALANCE X204RNA EEC (PRP/HSR)<V3.2.73.2.7

Remediation & Mitigation

0/6

Do now

0/3

WORKAROUNDRestrict network access to ports 22/TCP, 80/TCP, 443/TCP, and 161/UDP to only trusted IP addresses using firewall rules

WORKAROUNDDisable SNMP service if not required for operations

WORKAROUNDDisable the web server if not required for operations

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SCALANCE X204RNA devices to firmware version 3.2.7 or later

Long-term hardening

0/2

HARDENINGSegment the industrial control network from business networks using firewalls

HARDENINGImplement network access controls to prevent Internet-facing exposure of control system devices

CVEs (6)

CVE-2022-46350 CVE-2022-46351 CVE-2022-46352 CVE-2022-46353 CVE-2022-46354 CVE-2022-46355

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c3734ba6-7060-4f4e-b911-06c09be34063

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.