OTPulse
FeedAboutContact

SegmentSmack in VxWorks-based Industrial Devices

Plan Patch7.5SSA-102233Apr 14, 2020
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

SegmentSmack is a TCP stack vulnerability in VxWorks-based devices that allows remote attackers to cause a denial-of-service condition. An attacker can force the TCP stack to perform expensive computations for each incoming packet, exhausting CPU resources and making the device unresponsive. The vulnerability affects numerous Siemens SCALANCE industrial Ethernet switches (X206, X200, X201, X202, X204, X208, X212, X216, X224, XF, XR families) and SIMATIC communications processors (CP 343-1, CP 442-1, CP 443-1, RF180C, RF182C). Siemens has released firmware updates for most products; however, CP 343-1 Advanced, RF180C, RF182C, and SIPLUS NET CP 343-1 Advanced have no fixes available.

What this means
What could happen
An attacker can send specially crafted network packets to force the device's TCP stack to perform expensive computations, exhausting CPU resources and causing the industrial network switch or communications module to become unresponsive or drop operations.
Who's at risk
Manufacturing facilities using Siemens SCALANCE industrial Ethernet switches and SIMATIC communications processors should prioritize this advisory. SCALANCE switches (X2xx, X3xx, X4xx, XF, XR series) are critical for factory and plant network connectivity; communications modules (CP 443-1, CP 442-1, RF180C, RF182C) enable PLC and automation controller communication. If these devices become unresponsive due to denial-of-service, factory operations and remote monitoring can be disrupted.
How it could be exploited
An attacker sends malicious TCP packets from the network to the device. The vulnerable TCP stack processes each packet with expensive computation, consuming CPU cycles. Repeated packets or packet floods exhaust system resources, making the device unable to process legitimate traffic or maintain control functions.
Prerequisites
  • Network access to the device (reachable on network)
  • No authentication required
  • Attacker can send TCP packets to the device
Remotely exploitableNo authentication requiredLow complexity attackAffects network availabilityMultiple products lack patches
Exploitability
Low exploit probability (EPSS 0.5%)
Affected products (90)
86 with fix4 pending
ProductAffected VersionsFix Status
SCALANCE X206-1< V5.2.55.2.5
SCALANCE X200-4P IRT< V5.5.05.5.0
SCALANCE X201-3P IRT< V5.5.05.5.0
SCALANCE X201-3P IRT PRO< V5.5.05.5.0
SCALANCE X202-2IRT< V5.5.05.5.0
Remediation & Mitigation
0/7
Do now
0/1
SIMATIC CP 343-1 Advanced
WORKAROUNDRestrict network access to SIMATIC CP 343-1 Advanced, SIMATIC RF180C, SIMATIC RF182C, and SIPLUS NET CP 343-1 Advanced via firewall rules or network segmentation, as no firmware fixes are available for these devices
Schedule — requires maintenance window
0/5

Patching may require device reboot — plan for process interruption

SCALANCE X206-1
HOTFIXUpdate SCALANCE X206-1, X204-2, X204-2FM, X204-2LD, X204-2LD TS, X204-2TS, X206-1LD, X208, X208PRO, X212-2, X212-2LD, X216, X224, XF204, XF204-2, XF206-1, and XF208 to firmware version 5.2.5 or later
SCALANCE X200-4P IRT
HOTFIXUpdate SCALANCE X200-4P IRT, X201-3P IRT, X201-3P IRT PRO, X202-2IRT, X202-2P IRT, X202-2P IRT PRO, X204IRT, X204IRT PRO, XF201-3P IRT, XF202-2P IRT, XF204-2BA IRT, and XF204IRT to firmware version 5.5.0 or later
SCALANCE X308-2
HOTFIXUpdate SCALANCE X302-7 EEC (all variants), X304-2FE, X306-1LD FE, X307-2 EEC (all variants), X307-3, X307-3LD, X308-2, X308-2LD, X308-2LH, X308-2LH+, X308-2M, X308-2M PoE, X308-2M TS, X310, X310FE, X320-1 FE, X320-1-2LD FE, X408-2, XR324-12M (all variants), XR324-4M EEC (all variants), XR324-4M PoE (all variants), and SIPLUS NET SCALANCE X308-2 to firmware version 4.1.4 or later
SIMATIC CP 442-1 RNA
HOTFIXUpdate SIMATIC CP 442-1 RNA to firmware version 1.5.18 or later
SIMATIC CP 443-1
HOTFIXUpdate SIMATIC CP 443-1, SIMATIC CP 443-1 Advanced, SIPLUS NET CP 443-1, and SIPLUS NET CP 443-1 Advanced to firmware version 3.3 or later
Long-term hardening
0/1
HARDENINGSegment industrial network switches and communication modules from untrusted networks using firewalls or industrial demilitarized zones
View full Siemens ProductCERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/28d5ecee-a4a9-41c9-9702-7284d50d4296