RADIUS Protocol Susceptible to Forgery Attacks (CVE-2024-3596) - Impact to SCALANCE, RUGGEDCOM and Related Products
Act Now9SSA-723487Jul 9, 2024
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionNone needed
Summary
CVE-2024-3596 is a vulnerability in the RADIUS authentication protocol that allows on-path attackers to forge authentication responses. An attacker positioned between a RADIUS client (SCALANCE or RUGGEDCOM device) and a RADIUS server can modify Access-Reject messages into Access-Accept messages, granting network access without valid credentials. This affects multiple SCALANCE switches (XC, XF, XP, XR series), RUGGEDCOM industrial routers, and SINEC INS when RADIUS Relay feature is enabled. Siemens has released firmware updates for most affected products; however, several older models (SCALANCE XM408, XM416, SC6xx, W7xx/W8xx series) have no fix planned and will require network isolation or authentication workarounds.
What this means
What could happen
An attacker positioned between your SCALANCE or RUGGEDCOM network switch and a RADIUS authentication server (such as SINEC INS) could forge authentication packets, allowing them to change "Access-Reject" responses into "Access-Accept" responses, granting themselves network access without valid credentials.
Who's at risk
Water and electric utilities using Siemens SCALANCE or RUGGEDCOM network switches and industrial routers, particularly those relying on RADIUS authentication via SINEC INS or other RADIUS servers for network access control. This affects managed switches in SCADA networks, access control for engineering workstations, and secure network perimeter management.
How it could be exploited
The attacker must be on the network path between your switch/router and your RADIUS server. They intercept RADIUS packets exchanged during authentication and modify the server's response to grant access they should not have. This works because the RADIUS protocol's message authentication can be bypassed on-path.
Prerequisites
Network position between SCALANCE/RUGGEDCOM device and RADIUS authentication server (on-path attacker)
RADIUS authentication enabled on the affected device
RADIUS server in use (such as SINEC INS)
remotely exploitableon-path network access requiredno authentication bypass - attacker must intercept packetshigh EPSS score (23.8%)affects network access controlno patch available for several SCALANCE models (XM, SC, W series)
Exploitability
High exploit probability (EPSS 23.8%)
Affected products (416)
357 with fix59 pending
ProductAffected VersionsFix Status
SCALANCE XC208G PoE (54 V DC)< 4.64.6
SCALANCE XC216< 4.64.6
SCALANCE XC216-3G PoE< 4.64.6
SCALANCE XC216-3G PoE (54 V DC)< 4.64.6
SCALANCE XC216-4C< 4.64.6
Remediation & Mitigation
0/6
Schedule — requires maintenance window
0/4
Patching may require device reboot — plan for process interruption
SINEC INS
HOTFIXUpdate SINEC INS to version 1.0 SP2 Update 4 or later if Relay feature is enabled
All products
HOTFIXUpdate SCALANCE XC, XF, XP, XR, and XRH/XRM series switches to firmware version 4.6 or later (or version 1.3 for XC3xx/XR3xx series, or version 4.1.9 for XR324/XR3xx-M series)
HOTFIXUpdate RUGGEDCOM devices to firmware version 4.3.11 or later (or version 5.10.0 for specified V5.X variants, or version 8.2 for mobile/SHDSL routers, or version 2.17.0 for ROX series, or version 5.6 for CROSSBOW)
HOTFIXFor SCALANCE wireless devices (WAB, WAM, WUM, WUB series), update to firmware 3.0.0 or later
Long-term hardening
0/2
HARDENINGImplement network segmentation to restrict access to RADIUS server to only authorized management networks
HARDENINGMonitor RADIUS authentication logs for unexpected Access-Accept responses, particularly from IP addresses not expected to send RADIUS replies