Multiple Vulnerabilities in SCALANCE XB-200 / XC-200 / XP-200 / XF-200BA / XR-300WG Family

Monitor4.9SSA-353002Mar 12, 2024

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities (CVE-2023-44318 and CVE-2023-44321) in the SCALANCE XB/XC/XP/XF/XR family of industrial Ethernet switches allow an authenticated attacker to read sensitive information including configuration data and cryptographic keys. The vulnerabilities stem from improper handling of cryptographic material and lack of proper input validation. Affected products include SCALANCE XB205-3, XB206-2, XB208, XB213-3, XB216, XC206-2, XC208, XC216, XC224, XF204, XP208, XP216, XR324WG, XR326-2C, XR328-4C, and SIPLUS NET variants.

What this means

What could happen

An attacker with administrator credentials could read sensitive configuration data or crypto keys from affected SCALANCE network switches, potentially compromising network security and enabling lateral movement in the industrial network.

Who's at risk

Water utilities and electric utilities operating Siemens SCALANCE industrial Ethernet switches (XB, XC, XP, XF, and XR series) used to network PLCs, RTUs, and other field devices in SCADA/process networks are affected. This includes facilities running Profinet and EtherNet/IP protocols.

How it could be exploited

An attacker with valid administrative credentials accesses the web interface or management console of a SCALANCE switch and exploits the vulnerability to extract sensitive configuration data, cryptographic keys, or other protected information from device memory.

Prerequisites

Valid administrative credentials for the affected switch
Network access to the management interface (web UI or SSH/Telnet)
Device must be running a firmware version below 4.6

Requires valid credentialsMedium CVSS scoreLow exploitation probability (0.2% EPSS)Affects network infrastructure componentsNo active exploitation reportedPatch available from vendor

Exploitability

Low exploit probability (EPSS 0.2%)

Affected products (172)

86 with fix86 pending

ProductAffected VersionsFix Status

SCALANCE XP216POE EECAll versionsNo fix yet

SCALANCE XP216POE EEC< 4.64.6

SCALANCE XP216PoE EEC (V2)All versionsNo fix yet

SCALANCE XP216PoE EEC (V2)< 4.64.6

SCALANCE XR324WG (24 x FE, AC 230V)All versionsNo fix yet

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDRestrict administrative access to SCALANCE switches using firewall rules or network segmentation; limit management access to dedicated engineering workstations or a jump host

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all affected SCALANCE switches to firmware version 4.6 or later

HARDENINGRotate any cryptographic keys or credentials that may have been extracted from affected devices

Long-term hardening

0/2

HARDENINGImplement network segmentation to isolate management traffic for industrial switches from general corporate networks

HARDENINGMonitor switch configuration changes and access logs for suspicious administrative activity

CVEs (2)

CVE-2023-44318 CVE-2023-44321

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/49e5131f-9605-49ad-8439-2db2cd7730e2