Use of Hardcoded Key in SCALANCE X Devices Under Certain Conditions
Act Now9.1SSA-274900Jan 12, 2021
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
SCALANCE X network switches may not generate a unique random cryptographic key after factory reset and instead use a private key that ships with the firmware. This applies to X-200, X-200IRT, X-200RNA, and X-300 switch families. The issue is triggered under certain conditions during device initialization.
What this means
What could happen
An attacker who obtains the hardcoded firmware key could impersonate the switch or decrypt sensitive management traffic, allowing them to intercept configuration changes, obtain credentials for other network devices, or disrupt network communications on your water/electric system.
Who's at risk
Water authorities and municipal utilities operating Siemens SCALANCE X-200, X-200IRT, X-200RNA, or X-300 series network switches. These are commonly used for secure industrial communications in substations, water treatment plants, and critical infrastructure networks. Any organization relying on these switches for network segmentation or encrypted management traffic is affected.
How it could be exploited
An attacker with access to the device firmware (via publicly available sources or by analyzing a captured switch) extracts the hardcoded private key. They can then use this key to impersonate the switch in TLS/cryptographic exchanges with management systems, or decrypt encrypted management sessions if they are positioned on the network to capture traffic.
Prerequisites
- Access to firmware file or device to extract the hardcoded key
- Network access to the SCALANCE X switch or the management systems communicating with it
- Ability to perform man-in-the-middle (MITM) positioning on the network
remotely exploitableno authentication required for key extraction from firmwareaffects network infrastructure used for critical operationshardcoded credentials in firmware
Exploitability
Low exploit probability (EPSS 0.2%)
Affected products (4)
4 with fix
ProductAffected VersionsFix Status
SCALANCE X-200 switch family (incl. SIPLUS NET variants)< V5.2.55.2.5
SCALANCE X-200IRT switch family (incl. SIPLUS NET variants)< V5.5.05.5.0
SCALANCE X-200RNA switch family< V3.2.73.2.7
SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants)< V4.1.04.1.0
Remediation & Mitigation
0/6
Do now
0/1HARDENINGRestrict network access to SCALANCE X switch management interfaces using firewall rules and access control lists (ACLs) to trusted engineering and IT systems only
Schedule — requires maintenance window
0/4Patching may require device reboot — plan for process interruption
HOTFIXUpdate SCALANCE X-200 switches to firmware version 5.2.5 or later
HOTFIXUpdate SCALANCE X-200IRT switches to firmware version 5.5.0 or later
HOTFIXUpdate SCALANCE X-200RNA switches to firmware version 3.2.7 or later
HOTFIXUpdate SCALANCE X-300 switches (including X-408 and SIPLUS NET variants) to firmware version 4.1.0 or later
Long-term hardening
0/1HARDENINGImplement network segmentation to isolate switches from untrusted network segments and limit exposure if a switch key is compromised
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/06f18d64-4f3c-4600-a762-8de6efc5f8c5