Siemens SCALANCE XM-400, XR-500

Act Now7.5ICS-CERT ICSA-24-165-11Jun 11, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Siemens SCALANCE XM-400 and XR-500 managed industrial ethernet switches contain multiple memory safety and cryptographic validation vulnerabilities (CWE-326, CWE-415, CWE-416, CWE-20, CWE-295) that allow unauthenticated remote attackers to cause denial of service by disrupting switch operations. All models with firmware below version 6.6.1 are affected.

What this means

What could happen

An attacker with network access to these switches could cause denial of service, disrupting communications between PLCs, RTUs, and HMIs, which could halt or destabilize industrial processes like water treatment or power distribution.

Who's at risk

Water and electric utilities, wastewater treatment facilities, and any industrial site using Siemens SCALANCE XM-400 or XR-500 managed industrial ethernet switches for device interconnection. These switches are critical for communication between control devices like PLCs, RTUs, and operator interfaces.

How it could be exploited

An attacker with network connectivity to the switch can send specially crafted packets to trigger the vulnerability without authentication. This leads to a crash or service disruption of the switch's routing and switching functions, isolating connected devices.

Prerequisites

Network access to the SCALANCE XM-400 or XR-500 switch (any TCP/UDP port)
Device running firmware version below 6.6.1
No authentication required for exploitation

remotely exploitableno authentication requiredlow complexityhigh EPSS score (88.5%)affects network availability in critical operations

Exploitability

High exploit probability (EPSS 88.5%)

Affected products (25)

25 with fix

ProductAffected VersionsFix Status

SCALANCE XM408-4C<V6.6.16.6.1

SCALANCE XM408-4C (L3 int.)<V6.6.16.6.1

SCALANCE XM408-8C<V6.6.16.6.1

SCALANCE XM408-8C (L3 int.)<V6.6.16.6.1

SCALANCE XM416-4C<V6.6.16.6.1

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to switches using firewall rules to allow only expected management and industrial protocol traffic

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SCALANCE XM-400 and XR-500 switches to firmware version 6.6.1 or later

Long-term hardening

0/2

HARDENINGSegment network so SCALANCE switches are isolated from the internet and untrusted business networks

HARDENINGImplement VPN or secure remote access protocols if remote management is required

CVEs (8)

CVE-2022-2097 CVE-2022-4304 CVE-2022-4450 CVE-2023-0215 CVE-2023-0286 CVE-2023-0464 CVE-2023-0465 CVE-2023-0466

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/429ab7b0-730c-4720-8460-e3ef757abb09