Mirror Port Isolation Vulnerability in SCALANCE X Switches
Monitor5.4SSA-557804Mar 12, 2019
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
A vulnerability in SCALANCE X switches with the monitor barrier feature enabled allows an attacker connected to a mirror port to inject traffic that bypasses port isolation and reaches the monitored network. This could enable eavesdropping on or interference with communications in network segments that should be isolated. The vulnerability affects numerous SCALANCE X, XB, XC, XF, XP, and XR series switches, as well as SIPLUS NET variants. Siemens has released firmware updates addressing this issue across three version branches: 5.2.6, 4.1.3, and 4.1 depending on the product line.
What this means
What could happen
An attacker connected to a mirror (monitoring) port could bypass port isolation and inject traffic into the monitored network, potentially allowing them to eavesdrop on or interfere with communications between control system devices.
Who's at risk
Network switches in industrial facilities that use SCALANCE X series equipment, particularly those used in water treatment plants, electrical substations, and other critical infrastructure where network segmentation and monitoring are employed. This affects any organization relying on SCALANCE switches for industrial network switching and security.
How it could be exploited
An attacker with access to a SCALANCE X switch's mirror port (typically used for network monitoring) could send traffic that should be isolated to monitoring only. Because of the vulnerability, this traffic could leak into the main monitored network segment, allowing the attacker to reach devices they should not be able to communicate with.
Prerequisites
- Access to a SCALANCE X switch mirror port
- Monitor barrier feature must be enabled on the switch
- Network path from attacker to the mirror port
remotely exploitablerequires specific configuration (mirror port + monitor barrier enabled)affects network isolation and monitoring integritywide range of affected SCALANCE switch models
Exploitability
Low exploit probability (EPSS 0.5%)
Affected products (117)
117 with fix
ProductAffected VersionsFix Status
SCALANCE X208PRO< V5.2.65.2.6
SCALANCE X212-2< V5.2.65.2.6
SCALANCE X212-2LD< V5.2.65.2.6
SCALANCE X216< V5.2.65.2.6
SCALANCE X224< V5.2.65.2.6
Remediation & Mitigation
0/5
Do now
0/2WORKAROUNDReview mirror port configurations and disable monitor barrier feature on mirror ports if not needed for operational monitoring
HARDENINGImplement network access controls to restrict physical and logical access to switch mirror ports to authorized monitoring systems only
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
SCALANCE X308-2
HOTFIXUpdate SCALANCE X302-7 EEC, X304-2FE, X306-1LD FE, X307-2 EEC, X307-3, X307-3LD, X308-2 variants, X310, X310FE, X320-1 FE, X320-1-2LD FE, X408-2, XR324-12M, XR324-4M variants, and SIPLUS NET SCALANCE X308-2 switches to firmware version 4.1.3 or later
SCALANCE XC208
HOTFIXUpdate SCALANCE XB205-3, XB205-3LD, XB208, XB213-3, XB213-3LD, XB216, XC206-2, XC206-2SFP variants, XC208 variants, XC216, XC216-4C variants, XC224, XC224-4C variants, XF204-2BA variants, XP208, XP208EEC, XP208PoE EEC, XP216, XP216EEC, XP216POE EEC, XR324WG, XR328-4C WG, SIPLUS NET SCALANCE XC206-2 variants, and SIPLUS NET SCALANCE XC208, XC216-4C switches to firmware version 4.1 or later
All products
HOTFIXUpdate SCALANCE X204, X206, X208, X212-2, X212-2LD, X216, X224, and XF204 series switches to firmware version 5.2.6 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/67509355-0e1e-45be-bf40-6a3e422efedf