BadAlloc Vulnerabilities in SCALANCE X-200, X-200IRT, and X-300 Switch Families
Plan Patch7.3SSA-813746Apr 11, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
BadAlloc vulnerabilities exist in the underlying operating system of Siemens SCALANCE X-200, X-200IRT, and X-300 managed switches. These memory allocation defects can be triggered remotely without credentials, causing the switch to become unresponsive and disrupting network traffic. Siemens has released firmware versions 5.2.6 and 5.5.2 to address the issue in some models, but many older models (XR324, X302, X307, X308, X310, X320, X408 families) will not receive patches and remain vulnerable in all versions.
What this means
What could happen
An attacker with network access to an affected SCALANCE switch can trigger a memory allocation error that causes a denial of service, temporarily disabling network communication for connected devices and potentially interrupting industrial processes.
Who's at risk
SCALANCE X-200, X-200IRT, and X-300 managed industrial Ethernet switches used in water utilities, power systems, and manufacturing facilities for real-time networking and device connectivity. Affects both standard and hardened/isolated (EEC) variants across multiple power supply and port configurations. This includes devices used in safety-critical applications (IRT models) and extended temperature range deployments (TS and LD variants).
How it could be exploited
An attacker sends specially crafted network packets to the switch's network interface (no credentials required). The switch's operating system fails to properly validate memory allocation requests, causing the device to crash or become unresponsive. Network connectivity through the switch is lost until the device is rebooted.
Prerequisites
- Network access to the SCALANCE switch from any network segment (including the internet if the switch is publicly routable)
- No authentication or credentials required
remotely exploitableno authentication requiredlow complexitydenial of service impactno patch available for 50+ product variantsaffects safety-rated systems (IRT models)
Exploitability
Moderate exploit probability (EPSS 2.1%)
Affected products (81)
30 with fix51 pending
ProductAffected VersionsFix Status
SCALANCE XR324-4M EEC (2x 24V, ports on front)All versionsNo fix yet
SCALANCE XR324-4M EEC (2x 24V, ports on rear)All versionsNo fix yet
SCALANCE XR324-4M PoE (230V, ports on front)All versionsNo fix yet
SCALANCE XR324-4M PoE (230V, ports on rear)All versionsNo fix yet
SCALANCE XR324-4M PoE (24V, ports on front)All versionsNo fix yet
Remediation & Mitigation
0/5
Do now
0/1WORKAROUNDFor SCALANCE XR324, X302, X303, X304, X306, X307, X308, X310, X320, and X408 models with no fix available, implement network segmentation and access control lists to restrict access to the switches from untrusted networks
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
SIPLUS NET SCALANCE X202-2P IRT
HOTFIXUpdate SCALANCE X200-4P IRT, X201-3P IRT, X201-3P IRT PRO, X202-2IRT, X202-2P IRT, X202-2P IRT PRO, X204IRT, X204IRT PRO, SIPLUS NET SCALANCE X202-2P IRT, XF201-3P IRT, XF202-2P IRT, and XF204-2BA IRT models to firmware version 5.5.2 or later
All products
HOTFIXUpdate SCALANCE X204, X206, X208, X212, X216, X224, and XF204/XF206/XF208 models to firmware version 5.2.6 or later
Long-term hardening
0/2HARDENINGFor products without vendor firmware updates, disable unused network services and ports on affected switches to reduce the attack surface
HARDENINGMonitor affected switches for unexpected reboots or loss of connectivity, which may indicate exploitation attempts
CVEs (2)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/a251e274-626c-4134-8c8e-606f3c41cf2c