Siemens SCALANCE XB-200 / XC-200 / XP-200 / XF-200BA / XR-300WG Family

MonitorCVSS 4.9ICS-CERT ICSA-24-074-08Mar 12, 2024

Siemens

Attack path

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

SCALANCE XB-200/XC-200/XP-200/XF-200BA/XR-300WG Family managed switches are affected by multiple vulnerabilities identified as CVE-2023-44318 and CVE-2023-44321. These vulnerabilities allow an attacker with elevated privileges and network access to the device to read sensitive information from device memory. The affected product family includes industrial Ethernet switches used for network segmentation and device connectivity in control system environments. Siemens has released firmware version 4.6 and later for some products but many variants remain without fixes or with fixes not yet available.

What this means

What could happen

An attacker with administrative credentials and network access to an affected switch could read sensitive data from device memory, potentially including configuration information, credentials, or other sensitive parameters. While not directly affecting physical operations, compromised switch memory could expose information needed to escalate attacks or access other network devices.

Who's at risk

Water utilities, electric utilities, and industrial facilities using Siemens SCALANCE managed switches for network segmentation in control system networks. Affected equipment includes XB-200 series (compact switches), XC-200 series (industrial Ethernet switches), XP-200 series (PoE switches), XF-204 series (firewall appliances), and XR-300WG series (managed switches). Organizations relying on these switches for critical infrastructure network segmentation should assess their inventory against the affected product list.

How it could be exploited

An attacker with administrative-level credentials and network access to the switch management interface (typically Ethernet or serial console) can send crafted requests to read unprotected memory regions on the device. The attacker does not need physical access or elevated OS-level privileges, only valid engineering credentials for the switch itself.

Prerequisites

Valid administrative credentials for the SCALANCE switch (engineering account or web/serial management access)
Network or serial console access to the device management interface
Switch firmware version below 4.6 (for products with available fixes)

Requires valid administrative credentialsNetwork-accessible management interfaceLow exploit complexityMultiple product variants without fixes or with fixes not yet availableInformation disclosure riskAffects critical infrastructure switching

Exploitability

Unlikely to be exploited — EPSS score 0.2%

Affected products (172)

86 with fix86 pending

ProductAffected VersionsFix Status

SCALANCE XB206-2 LD< 4.64.6

SCALANCE XB206-2 SCAll versionsNo fix yet

SCALANCE XB206-2 SC< 4.64.6

SCALANCE XB206-2 STAll versionsNo fix yet

SCALANCE XB206-2 ST< 4.64.6

Remediation & Mitigation

0/6

Do now

0/3

WORKAROUNDFor products without available fixes, restrict network access to switch management interfaces using firewall rules. Allow only trusted engineering workstations and administration devices to reach management ports (typically 22/SSH, 23/Telnet, 80/HTTP, 443/HTTPS).

WORKAROUNDDisable unused management protocols on switches where possible (e.g., disable Telnet if only SSH is needed, disable HTTP if HTTPS is available).

HARDENINGImplement strong authentication for all switch management accounts. Change default credentials immediately and enforce password complexity requirements.

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate affected SCALANCE switches to firmware version 4.6 or later where available. Consult the Siemens security advisory SSA-353002 for the specific fixed firmware version for your product model.

Long-term hardening

0/2

HARDENINGImplement network segmentation to isolate SCALANCE switch management traffic. Use separate VLANs or dedicated management networks that are not accessible from the process network or untrusted areas.

HARDENINGMonitor for unauthorized management access to switches. Enable and review switch audit logs for unexpected login attempts or configuration changes.

CVEs (2)

CVE-2023-44318 CVE-2023-44321

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/038f84dd-70f1-445a-bac3-7412f2f42b06

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.