Buffer Overflow Vulnerability in SCALANCE X Switches

Plan Patch7.5SSA-130874Apr 5, 2012

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The embedded web server on SCALANCE X-series industrial Ethernet switches contains a buffer overflow vulnerability in URL handling. An unauthenticated remote attacker can send a malformed URL to trigger either a denial of service (switch reboot) or potentially execute arbitrary code on the switch. The vulnerability is present in firmware versions below 3.7.1 (X414-3E) and 3.7.2 (all other models).

What this means

What could happen

An attacker could crash your SCALANCE switch by sending a malformed web request, causing temporary loss of network connectivity and plant operations that depend on that switch. In a worst-case scenario, arbitrary code execution on the switch could allow an attacker to intercept or manipulate network traffic.

Who's at risk

Water utilities and electric utilities operating Siemens SCALANCE X-series industrial Ethernet switches in their control networks. These switches are used for backbone network connectivity in distribution automation, pump stations, substation networks, and remote terminal units (RTUs). The vulnerability affects 50+ variants across the X300, X400, and XR300 product families in both managed and unmanaged configurations.

How it could be exploited

An attacker with network access to the switch's embedded web server (port 80/443) sends a malformed HTTP request with an oversized URL that overflows a buffer in the web server code. This causes the switch to either crash (denial of service) or execute attacker-supplied code running on the switch itself.

Prerequisites

Network access to the switch's web server port (80 or 443)
No authentication required to trigger the vulnerability

remotely exploitableno authentication requiredlow complexity attackweb service accessible from networkpotential arbitrary code execution on network device

Exploitability

Moderate exploit probability (EPSS 2.7%)

Affected products (52)

52 with fix

ProductAffected VersionsFix Status

SCALANCE X302-7 EEC (230V, coated)< 3.7.23.7.2

SCALANCE X302-7 EEC (230V)< 3.7.23.7.2

SCALANCE X302-7 EEC (24V, coated)< 3.7.23.7.2

SCALANCE X302-7 EEC (24V)< 3.7.23.7.2

SCALANCE X302-7 EEC (2x 230V, coated)< 3.7.23.7.2

Remediation & Mitigation

0/3

Do now

0/1

HARDENINGRestrict network access to switch web management interfaces (ports 80, 443) using firewall rules; only allow access from authorized engineering workstations

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

SCALANCE X414-3E

HOTFIXUpdate SCALANCE X414-3E switches to firmware version 3.7.1 or later

All products

HOTFIXUpdate all other affected SCALANCE X-series switches to firmware version 3.7.2 or later

CVEs (1)

CVE-2012-1802

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/f91ebbda-830f-45c7-a792-9bfdd81ddbcc