Siemens SCALANCE Products

Plan Patch7.6ICS-CERT ICSA-22-349-04Dec 13, 2022

Attack VectorAdjacent

Auth RequiredHigh

ComplexityHigh

User InteractionNone needed

Summary

Multiple SCALANCE managed switches, routers, and wireless devices are vulnerable to code injection, unauthorized information disclosure (including CLI password retrieval and debug data exposure), and denial-of-service attacks. These vulnerabilities affect SCALANCE XC, XF, XP, XR, XB, XM series managed switches; SCALANCE SC converged switches; SCALANCE M-series and RUGGEDCOM industrial routers; and SCALANCE WAM/WAB/WUM/WUB wireless access points, as well as W-series wireless bridges. Devices running firmware versions below the patched versions are vulnerable. Siemens has released firmware updates for most product lines; however, W-series wireless bridge products have no fix available.

What this means

What could happen

An attacker with network access to a vulnerable SCALANCE device could inject code and gain execution on the device, retrieve sensitive information such as CLI passwords or debug data, or render the device unresponsive. This could disrupt network connectivity and control flow to critical industrial equipment like PLCs, pumps, and generators in a utility or water treatment facility.

Who's at risk

Water authorities and electric utilities using Siemens SCALANCE managed switches and routers for industrial network connectivity should review their inventory. Affected products include XC, XF, XP, XR series managed switches (common in process control networks), XM series core switches, RUGGEDCOM industrial routers, M-series ADSL/SHDSL routers, SC/WAM/WUM wireless access points, and W-series wireless bridges. Any facility using SCALANCE devices for OT network connectivity is potentially affected if running firmware below the patched versions.

How it could be exploited

An attacker on the network segment containing a vulnerable SCALANCE device could send specially crafted input to the device's management interface (web UI or CLI) to trigger code injection or other protocol-level flaws. No authentication is required for some variants. If successful, the attacker gains the ability to execute arbitrary commands on the switch, view stored credentials, or trigger a denial of service.

Prerequisites

Network access to the vulnerable SCALANCE device
Device running firmware version below the patched versions (e.g., XC/XF/XP/XR series below v4.4, XM/RUGGEDCOM/M-series below v6.6-7.2, WAM/WAB/WUM/WUB below v2.0-3.0, W-series unpatched)
No authentication required for exploit of some vulnerability variants

Remotely exploitable over networkNo authentication required for some vulnerability variantsLow complexity attackAffects industrial network infrastructure (switches/routers)Multiple CVEs affecting code injection and information disclosureNo patch available for W-series wireless devicesCould disrupt control system network communication

Exploitability

Low exploit probability (EPSS 0.7%)

Affected products (177)

149 with fix24 pending4 EOL

ProductAffected VersionsFix Status

SCALANCE XC216-4C<V4.44.4

SCALANCE XC216-4C G<V4.44.4

SCALANCE XC216-4C G (EIP Def.)<V4.44.4

SCALANCE XC216-4C G EEC<V4.44.4

SCALANCE XC216EEC<V4.44.4

Remediation & Mitigation

0/8

Do now

0/2

WORKAROUNDFor SCALANCE W-series devices (W1748, W1788, W721-W788 models): No patch available; implement compensating network controls

WORKAROUNDRestrict network access to SCALANCE devices using firewall rules; allow management traffic only from authorized engineering networks or out-of-band management interfaces

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SCALANCE XC, XF, XP, XR, XB, and SIPLUS NET SCALANCE products to firmware version 4.4 or later

HOTFIXUpdate SCALANCE XM408/416, SCALANCE XR524/526/528/552, and RUGGEDCOM RM1224 devices to firmware version 6.6 (or 7.2 for RUGGEDCOM/M-series) or later

HOTFIXUpdate SCALANCE SC622/626/632/636/642/646 devices to firmware version 2.3 or later; versions 2.3 and above with specific CVE fixes require update to version 3.0 or later

HOTFIXUpdate SCALANCE WAB762, WAM763/766, WUB762, WUM763/766 devices to firmware version 3.0.0 or 2.0.0 as applicable or later

Mitigations - no patch available

0/2

The following products have reached End of Life with no planned fix: SCALANCE W1748-1 M12, SCALANCE W1788-1 M12, SCALANCE W721-1 RJ45, SCALANCE W788-1 M12. Apply the following compensating controls:

HARDENINGIsolate all SCALANCE network switches and routers from direct internet connectivity and business network access using air-gapped or restricted routing

HARDENINGImplement network segmentation to separate OT switches from IT networks; require VPN or jump server for remote administrative access to SCALANCE devices

CVEs (5)

CVE-2022-34821 CVE-2022-46140 CVE-2022-46142 CVE-2022-46143 CVE-2022-46144

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/c6c71d51-eabd-4718-a6c8-cdad62d2476f