OpenSSH Vulnerabilities in SCALANCE X-200 and X-300/X408 Switches

Act Now7.5SSA-676336Sep 14, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple OpenSSH vulnerabilities (CWE-20, CWE-476) in Siemens SCALANCE X-200 and X-300/X-400/X-408 industrial managed switches allow denial of service. The vulnerabilities are present in bundled OpenSSH software used for SSH management access. Exploitation does not require authentication and can be triggered remotely via malformed SSH packets. Siemens has released firmware updates for affected product families.

What this means

What could happen

An attacker with network access to an affected SCALANCE switch can trigger a denial of service condition, making the switch unavailable and disrupting network connectivity for connected industrial devices and processes.

Who's at risk

Water utilities, electric utilities, and manufacturers using Siemens SCALANCE industrial network switches for process automation and control. Affected equipment includes the X-200 series (modular managed switches), X-300/X-400 series (compact managed switches), and XF/XR variants used in real-time industrial networks.

How it could be exploited

An attacker sends malformed SSH packets to the switch's SSH management interface (typically port 22) without authentication. The vulnerable OpenSSH implementation crashes or hangs in response, rendering the switch unable to pass traffic or accept new connections.

Prerequisites

Network access to SSH port (22) on the switch
No authentication required

remotely exploitableno authentication requiredlow complexityhigh EPSS score (84.3%)affects network infrastructure for critical processesdenial of service impact

Exploitability

High exploit probability (EPSS 84.3%)

Affected products (80)

80 with fix

ProductAffected VersionsFix Status

SCALANCE X206-1All Versions < V5.2.55.2.5

SCALANCE X206-1LDAll Versions < V5.2.55.2.5

SCALANCE X208 (incl. SIPLUS NET variant)All Versions < V5.2.55.2.5

SCALANCE X208PROAll Versions < V5.2.55.2.5

SCALANCE X212-2 (incl. SIPLUS NET variant)All Versions < V5.2.55.2.5

Remediation & Mitigation

0/7

Do now

0/2

WORKAROUNDRestrict network access to SSH management port (22) on affected switches using firewall rules or network segmentation to limit connectivity to authorized engineering workstations only

WORKAROUNDDisable SSH management access on switches if remote management is not required, using local console access only

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SCALANCE X-200 series switches (X206, X206LD, X208, X208PRO, X212-2, X212-2LD, X204, X204FM, X204LD, X204TS, X216, X224) to firmware version 5.2.5 or later

HOTFIXUpdate SCALANCE X-200 IRT series switches (X200-4P IRT, X201-3P IRT, X201-3P IRT PRO, X202-2IRT, X202-2P IRT, X202-2P IRT PRO, X204IRT, X204IRT PRO) to firmware version 5.5.2 or later

HOTFIXUpdate SCALANCE X-300/X-400 series switches (X302-7 EEC, X304-2FE, X306-1LD FE, X307-2 EEC, X307-3, X307-3LD, X308-2, X308-2LD, X308-2LH, X308-2M, X310, X310FE, X320-1 FE, X408-2) to firmware version 4.1.4 or later

HOTFIXUpdate SCALANCE XF and XR series switches (XF201-3P IRT, XF202-2P IRT, XF204, XF204-2, XF204-2BA IRT, XF204IRT, XF206-1, XF208, XR324 variants) to appropriate firmware version (5.5.2 or 5.2.5 depending on model) or later

Long-term hardening

0/1

HARDENINGSegment SCALANCE switch management traffic onto a dedicated, isolated network separate from data plane traffic

CVEs (3)

CVE-2016-6515 CVE-2016-10011 CVE-2016-10708

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/02752af2-e88b-456b-af62-7484031edd79