Stack Overflow Vulnerability in SCALANCE and RUGGEDCOM Devices
Plan Patch8.8SSA-979775Mar 9, 2021
Attack VectorAdjacent
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A stack overflow vulnerability exists in the passive listening feature of SCALANCE and RUGGEDCOM network switches. An attacker can send malformed packets to trigger the overflow, causing device reboot or, under specific circumstances, remote code execution. The vulnerability affects multiple SCALANCE switch families (M-800, S615, SC-600, XB-200, XC-200, XF-200BA, XM400, XP-200, XR500, XR-300WG) and RUGGEDCOM RM1224, with firmware versions ranging from v2.0 to v6.3 depending on product line. Siemens has released firmware updates addressing the issue across all affected products.
What this means
What could happen
An attacker with access to your network could send malformed traffic to trigger a stack overflow on SCALANCE or RUGGEDCOM network devices, causing them to reboot and temporarily lose connectivity. Under specific conditions, an attacker could potentially execute arbitrary code on the device, giving them control over network traffic routing and security functions.
Who's at risk
This vulnerability affects network infrastructure operators running Siemens industrial network devices. Any organization using SCALANCE or RUGGEDCOM switches for critical process network connectivity—especially water authorities, electric utilities, and manufacturing plants—should verify their device inventory against the affected product list. These devices typically carry SCADA network traffic and control network segmentation.
How it could be exploited
An attacker on the same network segment (or routed network) sends specially crafted packets to the passive listening feature of the affected device. The stack overflow is triggered when the device processes the malformed data, either causing an immediate reboot or, with specific packet content and device configuration, allowing code execution that bypasses device protections.
Prerequisites
- Network access to the affected SCALANCE or RUGGEDCOM device (Layer 3 reachability)
- No authentication required; vulnerability is in an unauthenticated service
- Device must be running a vulnerable firmware version (see affected products list)
remotely exploitableno authentication requiredlow complexity attackaffects network security boundary enforcementall affected products have patches available
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (11)
11 with fix
ProductAffected VersionsFix Status
RUGGEDCOM RM1224≥ V4.3 and < V6.46.4
SCALANCE M-800≥ V4.3 and < V6.46.4
SCALANCE S615≥ V4.3 and < V6.46.4
SCALANCE SC-600 Family≥ V2.0 and < V2.1.32.1.3
SCALANCE XB-200< V4.14.1
SCALANCE XC-200< V4.14.1
SCALANCE XF-200BA< V4.14.1
SCALANCE XM400< V6.26.2
Remediation & Mitigation
0/8
Do now
0/1HARDENINGRestrict network access to affected devices using firewall rules or network segmentation; only authorized management workstations and other network devices should be able to reach these units
Schedule — requires maintenance window
0/7Patching may require device reboot — plan for process interruption
RUGGEDCOM RM1224
HOTFIXUpdate RUGGEDCOM RM1224 to firmware version 6.4 or later
SCALANCE M-800
HOTFIXUpdate SCALANCE M-800 to firmware version 6.4 or later
SCALANCE S615
HOTFIXUpdate SCALANCE S615 to firmware version 6.4 or later
SCALANCE SC-600 Family
HOTFIXUpdate SCALANCE SC-600 Family to firmware version 2.1.3 or later
SCALANCE XB-200
HOTFIXUpdate SCALANCE XB-200, XC-200, XF-200BA, and XP-200 to firmware version 4.1 or later
SCALANCE XM400
HOTFIXUpdate SCALANCE XM400 and XR500 to firmware version 6.2 or later
SCALANCE XR-300WG
HOTFIXUpdate SCALANCE XR-300WG to firmware version 4.1 or later
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/4ff2329e-b6e9-474c-8a80-99bd1e9346b5