Bug in Siemens SCALANCE X-200

Friday, October 4, 2013 @ 12:10 PM gHale


Siemens found an authentication bypass vulnerability in the SCALANCE X-200 switch product family, according to a report on ICS-CERT.

Researcher Eireann Leverett of IOActive coordinated disclosure of the remotely exploitable vulnerability with Siemens. This issue only applies to switches using older firmware versions. Newer versions from firmware V4.5.0 (non-IRT) and V5.1.0 (IRT) on fixed the problem. Siemens has reported the resolution to ICS-CERT.

RELATED STORIES
Emerson Patches RTU Holes
Schneider Continues Quantum Fixes
Mitsubishi ActiveX Control Bug
WellinTech KingView Vulnerabilities

The vulnerability affects the following versions:
• SCALANCE X-200 switch family with firmware version prior to V4.5.0.
• SCALANCE X-200IRT (Isochronous Real-Time) switch family with firmware version prior to V5.1.0.

Alternatively, the user may be able to identify the affected products by using their Machine-Readable Product Designation (MLFB). Products with the following MLFBs may suffer from the issue:

SCALANCE X-200 MLFBs:
6GK5224-0BA00-2AA3, 6GK5216-0BA00-2AA3, 6GK5212-2BB00-2AA3
6GK5212-2BC00-2AA3, 6GK5208-0BA10-2AA3, 6GK5206-1BB10-2AA3, 6GK5206-1BC10-2AA3, 6GK5204-2BB10-2AA3, 6GK5204-2BC10-2AA3, 6GK5208-0HA10-2AA6, 6GK5204-0BA00-2AF2, 6GK5208-0BA00-2AF2, 6GK5206-1BC00-2AF2, 6GK5204-2BC00-2AF2, 6GK5204-2BB10-2CA2

SCALANCE X-200IRT MLFBs:
6GK5201-3JR00-2BA6, 6GK5204-0BA00-2BF2, 6GK5204-0JA00-2BA6, 6GK5202-2JR00-2BA6, 6GK5202-2BH00-2BA3, 6GK5201-3BH00-2BA3, 6GK5200-4AH00-2BA3, 6GK5202-2BB00-2BA3, 6GK5204-0BA00-2BA3

Successful exploitation of this vulnerability may allow attackers to perform administrative operations over the network without authentication.

Munich, Germany-based Siemens develops products mainly in the energy, transportation, and healthcare sectors.

The affected products, SCALANCE X-200 switches, connect industrial components such as PLCs or HMIs. These switches use a Web-based interface that enables administrators to change device configuration using an Internet browser.

The integrated Web server of SCALANCE X-200 switches might allow attackers to perform administrative operations over the network without authentication.
CVE-2013-5944 is the number assigned to this vulnerability, which has a CVSS v2 base score of 10.0.

No known public exploits specifically target this vulnerability and an attacker with a low skill would be able to exploit this vulnerability.

Siemens recommends upgrading to the current SCALANCE X-200 firmware versions V5.0.1 (non-IRT) and V5.1.2 (IRT). These versions are not vulnerable to the authentication bypass issue.

Click here for the firmware update for SCALANCE X-200.

Click here for the firmware update for SCALANCE X-200IRT.

Here is the Siemens security advisory related to the vulnerability.



Leave a Reply

You must be logged in to post a comment.