Siemens SCALANCE, RUGGEDCOM

Act Now9ICS-CERT ICSA-24-193-05Jul 9, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

CVE-2024-3596 (Blastradius) is a vulnerability in the RADIUS protocol implementation affecting Siemens SCALANCE, RUGGEDCOM, and related industrial networking products. An on-path attacker located between a Network Access Server (the Siemens device acting as RADIUS client) and a RADIUS server (such as SINEC INS) can forge Access-Request packets and modify corresponding server responses. This allows the attacker to convert "Access-Reject" messages into "Access-Accept" messages, granting unauthorized network access with attacker-specified authorization levels without knowing legitimate credentials. The vulnerability affects multiple product families and firmware versions; some products have been patched while others (particularly SCALANCE XR/XM/XC/SC/W series models) have no fix planned. Mitigations include restricting RADIUS traffic isolation, requiring Message-Authenticator attributes on the RADIUS server, and updating to patched firmware versions where available.

What this means

What could happen

An attacker positioned between your network access device (switch or router) and your RADIUS authentication server could intercept and forge authentication packets, allowing them to grant themselves network access with arbitrary privileges without knowing legitimate credentials.

Who's at risk

Network administrators and OT staff responsible for Siemens SCALANCE switches and RUGGEDCOM routers/gateways used in industrial networks, particularly those relying on RADIUS for 802.1X authentication. Affects hundreds of device models used in utilities, manufacturing, and critical infrastructure for network access control.

How it could be exploited

An attacker must be on the network path between the Siemens device (RADIUS client) and your RADIUS server. They intercept Access-Request packets and forge the server's response to turn rejection messages into acceptance messages, granting unauthorized network access with the attacker's chosen privilege level.

Prerequisites

Network position between device and RADIUS server (e.g., same VLAN or management network)
RADIUS traffic not encrypted or integrity-protected by Message-Authenticator attribute
Device configured to use RADIUS for authentication

Remotely exploitable via RADIUS protocol manipulationRequires network access between device and RADIUS server (not directly remote)No authentication required to forge packetsLow attack complexity once attacker is on-pathHigh EPSS score (23.8%)Many affected products have no patch availableImpacts network segmentation and access control, undermining authentication

Exploitability

High exploit probability (EPSS 23.8%)

Affected products (416)

357 with fix59 pending

ProductAffected VersionsFix Status

RUGGEDCOM ROX RX1511< 2.17.02.17.0

RUGGEDCOM ROX RX1512< 2.17.02.17.0

RUGGEDCOM ROX RX1524< 2.17.02.17.0

RUGGEDCOM ROX RX1536< 2.17.02.17.0

RUGGEDCOM ROX RX5000< 2.17.02.17.0

Remediation & Mitigation

0/3

Do now

0/2

WORKAROUNDRestrict RADIUS traffic to isolated management VLAN or dedicated network segment with access controls

HARDENINGConfigure RADIUS server to require Message-Authenticator attribute on all Access-Request packets from these devices

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate affected SCALANCE, RUGGEDCOM, and related products to patched firmware versions per the product list

CVEs (1)

CVE-2024-3596

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ab2e392f-0a11-4c0c-8338-0635aa0188fd