Clickjacking Vulnerability in SCALANCE S, SCALANCE X-300, X-200IRT, X-200RNA and X-200 Switch Families
Monitor4.2SSA-951513Feb 11, 2020
Attack VectorNetwork
Auth RequiredNone
ComplexityHigh
User InteractionRequired
Summary
SCALANCE S and SCALANCE X-series managed switches contain a clickjacking vulnerability in their web-based administrative interface. An attacker could trick an authenticated administrator into clicking a malicious link, allowing the attacker to perform administrative actions on the switch (such as configuration changes) without the administrator's knowledge. The attack requires the administrator to have an active authenticated session on the switch's web interface and to click a link provided by the attacker.
What this means
What could happen
An attacker could change switch configuration, modify network settings, or disrupt network connectivity by tricking an authenticated administrator into clicking a malicious link. This could impact process communications, device connectivity, or introduce network security weaknesses.
Who's at risk
Water utilities and electric utilities operating Siemens SCALANCE managed switches used for process automation networks, SCADA communications, or critical infrastructure networking. The SCALANCE S and X-series switches are commonly deployed in industrial networks to separate and manage traffic between engineering workstations, PLCs, RTUs, and other control devices. Any organization using these switches for network administration should update immediately.
How it could be exploited
An attacker sends a phishing email or embeds a malicious link on a compromised website. When an administrator with an active session on the switch's web interface clicks the link, the attacker's site performs unwanted actions (configuration changes, account modifications) on behalf of the authenticated user without confirmation.
Prerequisites
- Administrator must have an active authenticated session on the switch's web management interface
- Administrator must be tricked into clicking an attacker-controlled link
- Network access to the switch's web management port (typically 80/443)
requires user interaction (social engineering/phishing)affects network infrastructure (potential to disrupt communications between critical devices)authenticated session required but likely to exist in operational environments
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (8)
8 with fix
ProductAffected VersionsFix Status
SCALANCE S602< V4.14.1
SCALANCE S612< V4.14.1
SCALANCE S623< V4.14.1
SCALANCE S627-2M< V4.14.1
SCALANCE X-200 switch family (incl. SIPLUS NET variants)< 5.2.45.2.4
SCALANCE X-200IRT switch family (incl. SIPLUS NET variants)< V5.5.05.5.0
SCALANCE X-200RNA switch family< V3.2.73.2.7
SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants)< 4.1.34.1.3
Remediation & Mitigation
0/8
Do now
0/1WORKAROUNDTrain administrators to be cautious of unsolicited links and to verify they initiated actions on critical network devices
Schedule — requires maintenance window
0/5Patching may require device reboot — plan for process interruption
SCALANCE S602
HOTFIXUpdate SCALANCE S602, S612, S623, S627-2M to firmware version 4.1 or later
SCALANCE X-200RNA switch family
HOTFIXUpdate SCALANCE X-200RNA switch family to firmware version 3.2.7 or later
All products
HOTFIXUpdate SCALANCE X-200 switch family (including SIPLUS NET variants) to firmware version 5.2.4 or later
HOTFIXUpdate SCALANCE X-200IRT switch family (including SIPLUS NET variants) to firmware version 5.5.0 or later
HOTFIXUpdate SCALANCE X-300 switch family (including X408 and SIPLUS NET variants) to firmware version 4.1.3 or later
Long-term hardening
0/2HARDENINGImplement network segmentation to restrict administrative access to switch management interfaces to trusted engineering workstations only
HARDENINGDisable web-based management on switches if not required; use serial console or SSH for administration instead
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/2f6098aa-0adb-4abc-bce5-75248611572d