Siemens SCALANCE and RUGGEDCOM M-800/S615 Family

Plan Patch7.2ICS-CERT ICSA-23-348-12Dec 12, 2023

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

Siemens SCALANCE M-800/S615 family industrial routers affected by multiple vulnerabilities (CWE-349, CWE-425, CWE-78) in firmware versions before 7.2.2. Vulnerabilities allow high-impact compromise including information disclosure, integrity loss, and availability disruption. The advisory references POWER METER SICAM Q100 workarounds including restricting access to port 443/tcp and avoiding untrusted links while logged in. Affected device families include RUGGEDCOM RM1224 LTE variants, SCALANCE M804PB, M812/816/826/874/876 routers, MUM853/MUM856 models, and S615 LAN routers.

What this means

What could happen

An attacker with high privileges and network access to these industrial routers could execute commands, alter configuration, or disrupt availability of critical network links connecting field devices to control systems. This could interrupt communications between PLCs, remote terminals, or SCADA systems and prevent operators from monitoring or controlling industrial processes.

Who's at risk

Water utilities, municipal electric utilities, and any critical infrastructure operators using Siemens SCALANCE M-800 family industrial routers (including M804PB, M812/816/826 ADSL routers, M874/876 routers, MUM853/MUM856 multiservice routers, S615 LAN routers) and RUGGEDCOM RM1224 LTE routers for network connectivity between control centers and remote field sites, substations, or pump stations.

How it could be exploited

An attacker with network access to the affected router and administrative-level credentials (or by exploiting a privilege escalation) could trigger command injection vulnerabilities (CWE-78) or authentication/authorization flaws (CWE-425) to execute arbitrary commands on the device. This would allow modification of routing rules, disabling interfaces, or redirecting traffic to disrupt plant communications.

Prerequisites

Network access to the affected SCALANCE/RUGGEDCOM device
High privilege credentials (administrator account) or successful privilege escalation
Device running firmware version before 7.2.2

remotely exploitablehigh CVSS score (7.2)affects industrial network infrastructure critical to operationsrequires high privilege but could enable privilege escalationlow complexity exploitation (CVSS AC:L)

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (18)

18 with fix

ProductAffected VersionsFix Status

RUGGEDCOM RM1224 LTE(4G) EU<V7.2.27.2.2

RUGGEDCOM RM1224 LTE(4G) NAM<V7.2.27.2.2

SCALANCE M804PB<V7.2.27.2.2

SCALANCE M812-1 ADSL-Router<V7.2.27.2.2

SCALANCE M816-1 ADSL-Router<V7.2.27.2.2

Remediation & Mitigation

0/6

Do now

0/2

WORKAROUNDRestrict network access to port 443/tcp on affected devices to trusted IP addresses only using firewall rules

HARDENINGInstruct users not to click links from untrusted sources while logged into affected devices (applies to CVE-2023-30901)

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all affected SCALANCE M-800 and RUGGEDCOM routers to firmware version 7.2.2 or later

Long-term hardening

0/3

HARDENINGPlace affected routers behind firewalls and isolate them from direct internet access and business networks

HARDENINGImplement network segmentation to ensure industrial routers are not directly accessible from the internet

HARDENINGReview and enforce strong authentication controls and minimize use of high-privilege accounts for routine operations

CVEs (3)

CVE-2023-44317 CVE-2023-44320 CVE-2023-49692

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ae0b098f-99b6-4ad0-b0d6-f860762387bd