Multiple Vulnerabilities in SCALANCE X-300 Switch Family Devices

Plan Patch9.6SSA-836527Apr 12, 2022

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities exist in SCALANCE X-300 series switches running firmware versions below 4.1.4. These include buffer overflow (CWE-121, CWE-120, CWE-125), heap overflow (CWE-330), and other input validation failures (CWE-20) that allow an unauthenticated attacker on the local network segment to cause device reboot, denial of service, or potentially achieve code execution. Affected variants include SCALANCE X302-7 EEC, X304-2FE, X306-1LD FE, X307 series, X308 series, X310, X320, X408, XR324 series, and SIPLUS NET SCALANCE X308-2.

What this means

What could happen

An attacker on the network segment with these switches could reboot them, cause the network to fail, or run arbitrary code on the device without any credentials. This would disrupt communication to PLCs and field devices connected through the switch.

Who's at risk

Water utilities and electric utilities using Siemens SCALANCE X-300 series managed network switches for connecting industrial control devices, field instrumentation, and remote terminal units (RTUs). This affects all variants of the X302, X304, X306, X307, X308, X310, X320, X408, XR324, and SIPLUS NET SCALANCE X308 switches.

How it could be exploited

An attacker on the local network segment sends a specially crafted network packet to the switch. The switch's firmware has a buffer overflow or heap overflow vulnerability that fails to validate the packet properly, allowing the attacker to trigger a reboot, denial of service, or code execution without authentication.

Prerequisites

Network access to the switch on the same network segment (AV:A)
No credentials required
Standard network communication capability

Remotely exploitable on local network segmentNo authentication requiredLow complexity attackAffects network infrastructure used in critical operationsMultiple vulnerabilities in one advisoryHigh CVSS score (9.6)

Exploitability

Moderate exploit probability (EPSS 3.4%)

Affected products (51)

51 with fix

ProductAffected VersionsFix Status

SCALANCE X302-7 EEC (2x 24V)< V4.1.44.1.4

SCALANCE X302-7 EEC (2x 24V, coated)< V4.1.44.1.4

SCALANCE X302-7 EEC (2x 230V)< V4.1.44.1.4

SCALANCE X302-7 EEC (2x 230V, coated)< V4.1.44.1.4

SCALANCE X302-7 EEC (24V)< V4.1.44.1.4

Remediation & Mitigation

0/1

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate all SCALANCE X-300 switches to firmware version 4.1.4 or later

CVEs (9)

CVE-2022-25754 CVE-2022-25755 CVE-2022-25751 CVE-2022-25752 CVE-2022-25753 CVE-2022-25756 CVE-2022-26334 CVE-2022-26335 CVE-2022-26380

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5396b5c6-3bd5-4c11-8149-fdaebae9abe8