OTPulse

Siemens SCALANCE, RUGGEDCOM

Act NowCVSS 9ICS-CERT ICSA-24-193-05Jul 9, 2024
SiemensEnergy
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary

CVE-2024-3596 (Blastradius) is a vulnerability in the RADIUS protocol implementation affecting Siemens SCALANCE, RUGGEDCOM, and related industrial networking products. An on-path attacker located between a Network Access Server (the Siemens device acting as RADIUS client) and a RADIUS server (such as SINEC INS) can forge Access-Request packets and modify corresponding server responses. This allows the attacker to convert "Access-Reject" messages into "Access-Accept" messages, granting unauthorized network access with attacker-specified authorization levels without knowing legitimate credentials. The vulnerability affects multiple product families and firmware versions; some products have been patched while others (particularly SCALANCE XR/XM/XC/SC/W series models) have no fix planned. Mitigations include restricting RADIUS traffic isolation, requiring Message-Authenticator attributes on the RADIUS server, and updating to patched firmware versions where available.

What this means
What could happen
An attacker positioned between your network access device (switch or router) and your RADIUS authentication server could intercept and forge authentication packets, allowing them to grant themselves network access with arbitrary privileges without knowing legitimate credentials.
Who's at risk
Network administrators and OT staff responsible for Siemens SCALANCE switches and RUGGEDCOM routers/gateways used in industrial networks, particularly those relying on RADIUS for 802.1X authentication. Affects hundreds of device models used in utilities, manufacturing, and critical infrastructure for network access control.
How it could be exploited
An attacker must be on the network path between the Siemens device (RADIUS client) and your RADIUS server. They intercept Access-Request packets and forge the server's response to turn rejection messages into acceptance messages, granting unauthorized network access with the attacker's chosen privilege level.
Prerequisites
  • Network position between device and RADIUS server (e.g., same VLAN or management network)
  • RADIUS traffic not encrypted or integrity-protected by Message-Authenticator attribute
  • Device configured to use RADIUS for authentication
Remotely exploitable via RADIUS protocol manipulationRequires network access between device and RADIUS server (not directly remote)No authentication required to forge packetsLow attack complexity once attacker is on-pathHigh EPSS score (23.8%)Many affected products have no patch availableImpacts network segmentation and access control, undermining authentication
Exploitability
Likely to be exploited — EPSS score 19.0%
Public Proof-of-Concept (PoC) on GitHub (1 repository)
Affected products (469)
409 with fix60 pending
ProductAffected VersionsFix Status
CPC80 Central Processing/Communication< 16.5116.51
CPCI85 Central Processing/Communication< 6.206.20
POWER METER SICAM Q100 family< 2.702.70
POWER METER SICAM Q200 family< 2.832.83
Powerlink IPAll versionsNo fix yet
Remediation & Mitigation
0/3
Do now
0/2
WORKAROUNDRestrict RADIUS traffic to isolated management VLAN or dedicated network segment with access controls
HARDENINGConfigure RADIUS server to require Message-Authenticator attribute on all Access-Request packets from these devices
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate affected SCALANCE, RUGGEDCOM, and related products to patched firmware versions per the product list
View full CISA ICS-CERT advisory
API: /api/v1/advisories/ab2e392f-0a11-4c0c-8338-0635aa0188fd

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.