Multiple Web Vulnerabilities in SCALANCE Products

Act Now9.1SSA-710008Aug 9, 2022

Attack VectorNetwork

Auth RequiredHigh

ComplexityLow

User InteractionNone needed

Summary

Multiple web vulnerabilities exist in SCALANCE industrial network products spanning three vulnerability classes: improper neutralization of special elements in output (CWE-74), unrestricted resource consumption leading to denial of service (CWE-770), and cross-site scripting in output (CWE-80). Affected product families include managed switches (XC/XP/XR series), wireless access points (WAM/WUM), industrial routers (M8xx, S615), and modular switching systems (XM/XR). Authenticated remote attackers can execute arbitrary code; unauthenticated network attackers can trigger denial of service. Siemens has released firmware updates for most product lines but will not issue patches for older W-series wireless devices.

What this means

What could happen

An authenticated attacker could execute arbitrary code on SCALANCE network devices, potentially disrupting communications between control systems and field equipment. Unauthenticated attackers could cause temporary denial of service through resource exhaustion.

Who's at risk

Industrial network switch operators should prioritize this advisory, particularly those running water distribution, wastewater, electric grid, or manufacturing automation systems that rely on SCALANCE managed switches, wireless access points, or industrial routers for communications between PLCs, remote terminal units (RTUs), and supervisory systems. The SCALANCE XC/XP/XR managed switch families and WAM/WUM wireless access points are common in these environments.

How it could be exploited

An authenticated user with web access to the device management interface could inject malicious code (CWE-74: improper neutralization of special elements in output) or trigger resource exhaustion attacks. Unauthenticated attackers on the network could send crafted requests to exhaust resources (CWE-770) or inject scripts (CWE-80) to disrupt device availability.

Prerequisites

Network access to the device's web management interface (typically port 80/443)
Valid engineering workstation credentials for code execution vulnerability
No authentication required for denial of service attack

Remotely exploitableHigh CVSS score (9.1)Affects network communications infrastructureNo patch available for W-series wireless devicesAuthenticated code execution possibleUnauthenticated denial of service possible

Exploitability

Moderate exploit probability (EPSS 1.1%)

Affected products (154)

126 with fix28 pending

ProductAffected VersionsFix Status

RUGGEDCOM RM1224 LTE(4G) EU<V7.1.27.1.2

RUGGEDCOM RM1224 LTE(4G) NAM<V7.1.27.1.2

SCALANCE M804PB<V7.1.27.1.2

SCALANCE M812-1 ADSL-Router (Annex A)<V7.1.27.1.2

SCALANCE M812-1 ADSL-Router (Annex B)<V7.1.27.1.2

Remediation & Mitigation

0/9

Do now

0/1

WORKAROUNDFor SCALANCE W7xx and W8xx wireless devices with no available patch: implement firewall rules to block direct access to device web interfaces from untrusted networks; use VPN or jump host for remote management

Schedule — requires maintenance window

0/6

Patching may require device reboot — plan for process interruption

SCALANCE M804PB

HOTFIXUpdate SCALANCE M804PB, M874-3, M876-4, and MUM8xx devices to firmware version 7.1.2 or later

SCALANCE S615

HOTFIXUpdate SCALANCE S615, SC622-2C through SC646-2C to firmware version 2.3.1 or later (SC series) or 7.1.2 or later (S615)

SCALANCE WAM763-1

HOTFIXUpdate SCALANCE WAM763-1, WAM766-1, WUM763-1, and WUM766-1 to firmware version 2.0 or later

All products

HOTFIXUpdate RUGGEDCOM RM1224 LTE(4G) and M8x2/M8x6 ADSL routers to firmware version 7.1.2 or later

HOTFIXUpdate SCALANCE XB205-3, XB208, XB213-3, XB216, XC2xx, XF2xx, XP2xx, and XR3xx series to firmware version 4.4 or later

HOTFIXUpdate SCALANCE XM4xx and XR5xx series to firmware version 6.6 or later

Long-term hardening

0/2

HARDENINGFor SCALANCE W7xx and W8xx wireless devices with no available patch: implement network segmentation to restrict access to device management interfaces; only allow connections from authorized engineering workstations on isolated subnets

HARDENINGDisable or restrict access to web management interfaces on all SCALANCE devices not actively using remote management; prefer local console or out-of-band management channels

CVEs (3)

CVE-2022-36323 CVE-2022-36324 CVE-2022-36325

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/02c97384-c38d-4beb-8ad9-92afe06ec8bd