Siemens SCALANCE Switch Families

Plan PatchCVSS 7.3ICS-CERT ICSA-23-103-13Apr 11, 2023

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Siemens SCALANCE industrial switches contain "Bad Alloc" memory allocation vulnerabilities in their underlying operating system. These vulnerabilities allow remote attackers to send specially crafted packets that cause the switch to crash or malfunction, disrupting network connectivity. The vulnerabilities affect a broad range of SCALANCE X-series and XR-series managed switches. Some product families (X-204, X-206, X-208, X-212, X-216, X-224, X-200 IRT, and XF-series) have firmware updates available. However, older product families including X-302-7 EEC, X-307, X-308, X-310, X-306, X-304, and XR-324 series have no fix planned and will remain vulnerable.

What this means

What could happen

A "Bad Alloc" memory allocation vulnerability in affected SCALANCE switches could allow an attacker to crash the switch or potentially execute arbitrary code, disrupting network connectivity for critical control systems in water treatment, power distribution, or manufacturing operations.

Who's at risk

Water utilities, electric utilities, and manufacturing plants relying on Siemens SCALANCE industrial switches for network connectivity. Particularly critical are organizations using X-302, X-307, X-308, X-310, XR-324, or SIPLUS NET variants that have no firmware fix available.

How it could be exploited

An attacker with network access to an affected SCALANCE switch can send specially crafted packets that trigger a memory allocation failure. This causes the switch to crash or behave unpredictably, severing communication between PLCs, RTUs, and control workstations on the network segment served by that switch.

Prerequisites

Network access to the switch (no authentication required)
Ability to send crafted network packets to the switch's management or data plane interface

Remotely exploitableNo authentication requiredLow attack complexityNo patch available for 40+ products in the X-302/X-307/X-308/XR-324 familiesAffects network backbone connectivity for control systems

Exploitability

Some exploitation risk — EPSS score 1.3%

Affected products (81)

30 with fix51 pending

ProductAffected VersionsFix Status

SCALANCE X302-7 EEC (24V, coated)All versionsNo fix yet

SCALANCE X302-7 EEC (24V)All versionsNo fix yet

SCALANCE X302-7 EEC (2x 230V, coated)All versionsNo fix yet

SCALANCE X302-7 EEC (2x 230V)All versionsNo fix yet

SCALANCE X302-7 EEC (2x 24V, coated)All versionsNo fix yet

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to affected SCALANCE switches using firewalls or access control lists to limit traffic to trusted engineering workstations and control systems only

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SCALANCE X-200 and X-200 IRT switches to firmware version 5.5.2 or later

HOTFIXUpdate SCALANCE X-204, X-206, X-208, X-212, X-216, X-224, and XF-series switches to firmware version 5.2.6 or later

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate SCALANCE switches onto a dedicated control network segment with restricted routing to/from corporate IT networks

CVEs (2)

CVE-2020-28895 CVE-2020-35198

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/552db0e1-dd16-4815-a3fe-686ad822b405

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.