Denial-of-Service Vulnerability in OSPF Packet Handling of SCALANCE XM-400 and XR-500 Devices

Plan Patch7.5SSA-116379May 11, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SCALANCE XM-400 and XR-500 devices contain a vulnerability in OSPF packet handling that allows an unauthenticated remote attacker to trigger a denial-of-service condition. By sending malicious OSPF packets, an attacker can cause the device to become unresponsive, requiring a reboot to restore operation. The vulnerability affects SCALANCE XM-400 devices running firmware versions prior to 6.4 and SCALANCE XR-500 devices running firmware versions prior to 6.4.

What this means

What could happen

An attacker on the network could cause SCALANCE switches to become unresponsive by sending malicious OSPF packets, disrupting routing and network connectivity across your facility. The device would require a reboot to recover.

Who's at risk

Water authorities and electric utilities using Siemens SCALANCE XM-400 or XR-500 switches for network backbone connectivity should prioritize this. These switches are commonly deployed as core or distribution-layer network devices connecting PLCs, RTUs, HMIs, and remote sites. Denial of service on these switches impacts facility-wide communications and control system availability.

How it could be exploited

An attacker on the network sends specially crafted OSPF (Open Shortest Path First) routing packets to a vulnerable SCALANCE XM-400 or XR-500 switch. The device's OSPF implementation fails to properly validate or handle the packet, causing it to crash or hang. No authentication is required—the attacker only needs network-layer reachability to the device.

Prerequisites

Network access to the device on OSPF ports (typically UDP/TCP 89)
Device must be running OSPF routing protocol
No credentials or authentication required

Remotely exploitableNo authentication requiredLow complexity attackHigh availability impactOSPF is enabled by default on many installations

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

SCALANCE XM-400 Family< V6.46.4

SCALANCE XR-500 Family< V6.46.4

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDIf patching cannot be scheduled immediately, restrict OSPF neighbor relationships to trusted devices only and implement access control lists (ACLs) to block OSPF traffic (port 89) from untrusted network segments

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SCALANCE XM-400 devices to firmware version 6.4 or later

HOTFIXUpdate SCALANCE XR-500 devices to firmware version 6.4 or later

Long-term hardening

0/1

HARDENINGSegment network to limit which devices can reach SCALANCE switches on routing protocols

CVEs (1)

CVE-2020-28393

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/00bf342e-0603-4d48-960d-243101ccf90f