Vulnerabilities in Web Server for Scalance X Products

Act Now9.8SSA-139628Jan 12, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

SCALANCE X switch families contain multiple vulnerabilities in the integrated web server that allow unauthenticated attackers to reboot devices or cause denial of service. Heap overflow (CWE-122) and missing access control (CWE-306) vulnerabilities in the web server can be triggered by sending malformed HTTP requests without authentication. Affected families include SCALANCE X-200, X-200IRT, and X-300 switches (including SIPLUS NET variants). Successful exploitation can reboot the switch, stop it from forwarding traffic, or potentially allow execution of arbitrary code on the switch.

What this means

What could happen

An unauthenticated attacker can reboot managed network switches or cause them to stop forwarding traffic, disrupting communication between plant devices, PLCs, and remote monitoring systems. Heap and buffer overflow vulnerabilities could allow attackers to execute arbitrary code on the switch itself.

Who's at risk

Organizations operating SCALANCE X-series managed industrial Ethernet switches should care. These switches are commonly used in water authorities and utilities to interconnect PLCs, remote terminal units (RTUs), human-machine interfaces (HMIs), and SCADA gateways. Failure of these switches disrupts communication to field devices and can prevent monitoring and control of pumps, motors, valves, and other critical infrastructure.

How it could be exploited

An attacker sends a malformed HTTP request to the web server on the SCALANCE X switch (typically port 80 or 443). The web server does not validate the request properly and a heap or buffer overflow occurs. This triggers a reboot of the switch, or in more advanced scenarios, allows the attacker to run commands with the privileges of the web server process.

Prerequisites

Network-layer access to the web server port (80 or 443) on the SCALANCE X switch
No authentication required

remotely exploitableno authentication requiredlow complexityhigh CVSS score (9.8)

Exploitability

Low exploit probability (EPSS 0.7%)

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

SCALANCE X-200 switch family (incl. SIPLUS NET variants)< V5.2.55.2.5

SCALANCE X-200IRT switch family (incl. SIPLUS NET variants)< V5.5.05.5.0

SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants)< V4.1.04.1.0

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDRestrict network access to the SCALANCE X switch web server port (80/443) using firewall rules; only allow administrative workstations or out-of-band management networks to connect

HARDENINGDisable the web server on SCALANCE X switches if it is not actively used for management; use CLI or SNMP instead

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SCALANCE X-200 switch firmware to version 5.2.5 or later

HOTFIXUpdate SCALANCE X-200IRT switch firmware to version 5.5.0 or later

HOTFIXUpdate SCALANCE X-300 switch firmware to version 4.1.0 or later

CVEs (3)

CVE-2020-15799 CVE-2020-15800 CVE-2020-25226

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/76dbbb55-8408-49e8-8e92-501876c625dc