Siemens Clears SCALANCE X Hole

Wednesday, June 12, 2019 @ 10:06 AM gHale

Siemens has workarounds and mitigations to handle a storing passwords in a recoverable format vulnerability in its SCALANCE X Switches, according to a report with NCCIC.

Successful exploitation of this vulnerability, discovered by Christopher Wade from Pen Test Partners, could allow an attacker to reconstruct passwords for users of the affected devices if the attacker is able to obtain a backup of the device configuration.

RELATED STORIES
Siemens has Fix for LOGO!8 Devices
Siemens Workaround for SIMATIC Ident Holes
Siemens has Update for Siveillance VMS
Hole in Medical Device DICOM Standard

The following Siemens SCALANCE X products are affected by this vulnerability:
• SCALANCE X-200: all versions prior to v5.2.4
• SCALANCE X-200IRT: all versions
• SCALANCE X-300: all versions
• SCALANCE X-414-3E: all versions

In the vulnerability, the affected devices store passwords in a recoverable format. An attacker may extract and recover device passwords from the device configuration. Successful exploitation requires access to a device configuration backup and impacts confidentiality of the stored passwords.

CVE-2019-6567 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.1.

The product sees use in the chemical, critical manufacturing, energy, food and agriculture, and water and wastewater systems sectors. It also sees action on a global basis.

No known public exploits specifically target this vulnerability. This vulnerability is not exploitable remotely. However, an attacker with low skill level could leverage the issue.

Siemens identified the following specific workarounds/mitigations to reduce the risk from this vulnerability:
• SCALANCE X-200: Update to v5.2.4
• SCALANCE X-200IRT: See recommendations following
• SCALANCE X-300: See recommendations following
• SCALANCE X-414-3E: Migrate to the SCALANCE XM400 product line

Until additional updates are available, Siemens recommends users apply the following workarounds/mitigations to reduce the risk from this vulnerability:
• Restrict access to configuration backups or archived device configuration data
• Restrict or disable network access to mechanisms that allow retrieval of device configuration, if enabled
• Restrict access to device configuration module C-PLUG, if in use

As a general security measure, Siemens recommends users protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for Industrial Security, and to follow the recommendations in the product manuals.

For further inquiries on security vulnerabilities in Siemens products and solutions, contact the Siemens ProductCERT.



Leave a Reply

You must be logged in to post a comment.