Siemens SCALANCE X-200RNA Switch Devices
Act Now9.8ICS-CERT ICSA-22-349-21Dec 13, 2022
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
SCALANCE X-200RNA switch devices before V3.2.7 contain multiple OpenSSL and OpenSSH vulnerabilities including buffer overflows, authentication weaknesses, and input validation flaws. These vulnerabilities allow remote attackers without authentication to execute arbitrary code or cause denial of service via network access to ports 22/tcp (SSH) and 443/tcp (HTTPS).
What this means
What could happen
An attacker could remotely execute commands on your network switch, potentially disrupting critical network connectivity for control systems, or cause the device to stop responding, taking critical industrial networks offline.
Who's at risk
Network switch operators and IT/OT teams at water utilities, electric utilities, and manufacturing facilities should prioritize this. SCALANCE X-200RNA series are backbone network switches used to connect PLCs, RTUs, and other industrial devices. A compromised switch can disrupt communications across your entire control system network and potentially allow lateral movement to control devices.
How it could be exploited
An attacker on your network or the Internet sends a crafted packet to ports 22 (SSH) or 443 (HTTPS) on the vulnerable switch. Because no authentication is required and the attack complexity is low, the attacker can trigger a buffer overflow or other code execution flaw to run arbitrary commands on the device or crash it, disrupting network communication across your facility.
Prerequisites
- Network access to port 22/tcp (SSH) or 443/tcp (HTTPS)
- No credentials required
- Device must be running firmware version earlier than V3.2.7
Remotely exploitableNo authentication requiredLow attack complexityHigh EPSS score (93.9%)Affects network infrastructure critical to plant operationsMultiple vulnerability classes (buffer overflows, weak authentication, input validation)
Exploitability
High exploit probability (EPSS 93.9%)
Affected products (5)
5 with fix
ProductAffected VersionsFix Status
SCALANCE X204RNA (HSR)<V3.2.73.2.7
SCALANCE X204RNA (PRP)<V3.2.73.2.7
SCALANCE X204RNA EEC (HSR)<V3.2.73.2.7
SCALANCE X204RNA EEC (PRP)<V3.2.73.2.7
SCALANCE X204RNA EEC (PRP/HSR)<V3.2.73.2.7
Remediation & Mitigation
0/5
Do now
0/4HOTFIXUpdate all SCALANCE X-200RNA devices to firmware version 3.2.7 or later
WORKAROUNDRestrict network access to ports 22/tcp and 443/tcp to only trusted engineering workstations and administrative IP addresses using firewall rules or switch access control lists
WORKAROUNDDisable the web server (port 443) on the switch if remote web management is not required for your operations
WORKAROUNDDisable remote SSH access (port 22) if local serial console or in-band management is available and sufficient for your operations
Long-term hardening
0/1HARDENINGImplement network segmentation to isolate industrial control network switches from business networks and the Internet
CVEs (83)
CVE-2003-0190CVE-2003-1562CVE-2014-8176CVE-2015-0207CVE-2015-0208CVE-2015-0209CVE-2015-0285CVE-2015-0286CVE-2015-0287CVE-2015-0288CVE-2015-0289CVE-2015-0290CVE-2015-0291CVE-2015-0292CVE-2015-0293CVE-2015-1787CVE-2015-1788CVE-2015-1789CVE-2015-1790CVE-2015-1791CVE-2015-1792CVE-2015-1794CVE-2015-3193CVE-2015-3194CVE-2015-3195CVE-2015-3196CVE-2015-3197CVE-2015-4000CVE-2015-5352CVE-2015-5600CVE-2015-6563CVE-2015-6564CVE-2015-6565CVE-2015-8325CVE-2016-0701CVE-2016-0702CVE-2016-0703CVE-2016-0704CVE-2016-0705CVE-2016-0777CVE-2016-0778CVE-2016-0797CVE-2016-0798CVE-2016-0799CVE-2016-0800CVE-2016-1907CVE-2016-1908CVE-2016-2105CVE-2016-2106CVE-2016-2107CVE-2016-2108CVE-2016-2109CVE-2016-2176CVE-2016-2177CVE-2016-2178CVE-2016-2179CVE-2016-2180CVE-2016-2181CVE-2016-2182CVE-2016-2183CVE-2016-6210CVE-2016-6302CVE-2016-6303CVE-2016-6304CVE-2016-6305CVE-2016-6306CVE-2016-6307CVE-2016-6308CVE-2016-6515CVE-2016-8858CVE-2016-10009CVE-2016-10010CVE-2016-10011CVE-2016-10012CVE-2017-3735CVE-2017-15906CVE-2018-15473CVE-2018-20685CVE-2019-1552CVE-2019-6109CVE-2019-6110CVE-2019-6111CVE-2019-16905
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/6c04d4b1-901c-4dda-9e36-f5065dfa4e7b