Multiple Vulnerabilities in SCALANCE X-200RNA Switch Devices before V3.2.7

Plan Patch8.8SSA-363821Dec 13, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

SCALANCE X-200RNA industrial Ethernet switches before firmware V3.2.7 contain multiple vulnerabilities: CWE-80 (improper input validation), CWE-400 (uncontrolled resource consumption), CWE-330 (use of insufficiently random values), CWE-284 (improper access control), and CWE-200 (exposure of sensitive information). These flaws allow an attacker to cause denial of service, extract sensitive configuration or authentication data, or hijack active sessions to the device management interface. Affected models include X204RNA with HSR and PRP variants, including the EEC (enhanced engineering connector) versions. Siemens has released firmware V3.2.7 to correct these issues.

What this means

What could happen

An attacker could cause the network switch to become unresponsive, extract configuration data or credentials stored on the device, or take over an authenticated session to reconfigure the switch and disrupt network connectivity to critical equipment.

Who's at risk

Water utilities and municipal electric facilities using SCALANCE X-200RNA managed industrial Ethernet switches for network redundancy (HSR/PRP). These switches are commonly deployed in substation automation, SCADA networks, and critical infrastructure where loss of connectivity would disrupt control system communications.

How it could be exploited

An attacker on the network could send a specially crafted request to the switch's web interface or management port (no authentication required) to trigger a denial of service condition, harvest information from the device, or inject malicious input to hijack an existing administrator session.

Prerequisites

Network access to the SCALANCE X-200RNA switch management interface (typically port 80/443 or Ethernet port 1-4)
For session hijacking: an authenticated session must already exist (e.g., an engineer logged into the web interface)

Remotely exploitableNo authentication required for denial of service or information disclosureLow complexity attackAffects network infrastructure supplying critical control systemsDefault or weak credentials may be used for management access

Exploitability

Moderate exploit probability (EPSS 2.0%)

Affected products (5)

5 with fix

ProductAffected VersionsFix Status

SCALANCE X204RNA (HSR)< V3.2.73.2.7

SCALANCE X204RNA (PRP)< V3.2.73.2.7

SCALANCE X204RNA EEC (HSR)< V3.2.73.2.7

SCALANCE X204RNA EEC (PRP)< V3.2.73.2.7

SCALANCE X204RNA EEC (PRP/HSR)< V3.2.73.2.7

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict network access to the switch management interface using firewall rules; allow only from trusted engineering workstations or subnets

WORKAROUNDIf devices cannot be patched immediately, consider disabling remote web management and require in-band access via Ethernet port 1 only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all SCALANCE X-200RNA switch devices to firmware version 3.2.7 or later

Long-term hardening

0/1

HARDENINGSegment the switch management network from the general plant network using VLANs or separate subnets

CVEs (6)

CVE-2022-46350 CVE-2022-46351 CVE-2022-46352 CVE-2022-46353 CVE-2022-46354 CVE-2022-46355

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ddace749-4255-4098-89ac-3d2f65f73948