Siemens Security Advisory by Siemens ProductCERT SSA-321046: Denial-of-Service Vulnerabilities in SCALANCE X-300/X408 Switch Family Publication Date Last Update Current Version CVSS Overall Score 2015-01-19 2015-01-19 V1.0 6.1 Summary: The latest firmware update for the Siemens SCALANCE X-300 switch family and SCALANCE X 408 fixes two vulnerabilities. The vulnerabilities could allow attackers to cause a device reboot under certain conditions. An attacker must have network access to the device to exploit this vulnerability. AFFECTED PRODUCTS SCALANCE X-300 switch family: All versions < V4.0 SCALANCE X 408: All versions < V4.0 Alternatively, the affected products may be identified by using their MLFB. Products with the following MLFBs are affected: 6GK5302-7GD00-* 6GK5308-2FM10-2AA3 6GK5310-0FA10-2AA3 6GK5304-2BD00-2AA3 6GK5308-2FN00-2AA3 6GK5320-1BD00-2AA3 6GK5306-1BF00-2AA3 6GK5308-2FN10-2AA3 6GK5320-3BF00-2AA3 6GK5307-2FD00-* 6GK5308-2FP00-2AA3 6GK5324-0GG00-* 6GK5307-3BL00-2AA3 6GK5308-2FP10-2AA3 6GK5324-4GG00-* 6GK5307-3BM00-2AA3 6GK5308-2GG00-* 6GK5324-4QG00-* 6GK5307-3BM10-2AA3 6GK5308-2QG00-2AA2 6GK5324-0GG00-* 6GK5308-2FL00-2AA3 6GK5310-0BA00-2AA3 6GK5408-2FD00-2AA2 6GK5308-2FL10-2AA3 6GK5310-0BA10-2AA3 6GK5308-2FM00-2AA3 6GK5310-0FA00-2AA3 DESCRIPTION SCALANCE X-300 switches are used to connect industrial components like Programmable Logic Controllers (PLCs) or Human Machine Interfaces (HMIs). The switches offer a web interface to enable users to change the configuration using a common web browser, as well as a FTP server to download and upload configuration and firmware files. The web server and the FTP server of the vulnerable switches are susceptible to a remote denial of service attack. The vulnerabilities have been fixed with firmware version 4.0. Detailed information on the vulnerabilities is provided below. VULNERABILITY CLASSIFICATION The vulnerability classification has been performed by using the CVSSv2 scoring system (http://www.first.org/cvss/). The CVSS environmental score is specific to the customer's environment and will impact the overall CVSS score. The environmental score should therefore be individually defined by the customer to accomplish final scoring. SSA-321046 © Siemens AG 2015 Page 1 of 2 Siemens Security Advisory by Siemens ProductCERT Vulnerability 1 (CVE-2014-8478) The web server of the affected switches could allow unauthenticated users to cause a device reboot if malformed HTTP requests are sent to the web server (port 80/tcp or port 443/tcp). To achieve this, an attacker must be able to reach the HTTP interface over the network. No packets are forwarded to connected devices until the reboot is completed. CVSS Base Score CVSS Temporal Score CVSS Overall Score 7.8 6.1 6.1 (AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C) Vulnerability 2 (CVE-2014-8479) The FTP server of the affected switches could allow authenticated users to cause a device reboot if specially crafted network packets are sent to the FTP server (port 21/tcp). No packets are forwarded to connected devices until the reboot is completed. CVSS Base Score CVSS Temporal Score CVSS Overall Score 6.8 5.3 5.3 (AV:N/AC:L/Au:S/C:N/I:N/A:C/E:POC/RL:OF/RC:C) Mitigating factors: An attacker must have network access to the affected devices. For vulnerability 2, the attacker must be able to log in to the FTP server. SOLUTION Siemens provides firmware update V4.0 [1], which fixes the vulnerabilities, and recommends updating as soon as possible. Siemens also recommends protecting network access to all products except for perimeter devices with appropriate mechanisms. It is advised to follow recommended security practices [4] and to configure the environment according to operational guidelines [2] in order to run the devices in a protected IT environment. ACKNOWLEDGEMENT Siemens thanks Deja vu Security for coordinated disclosure. ADDITIONAL RESOURCES [1] The firmware update can be obtained here: http://support.automation.siemens.com/WW/view/en/107178573 [2] An overview of the operational guidelines for Industrial Security (with the cell protection concept): http://www.industry.siemens.com/topics/global/en/industrialsecurity/Documents/operational_guidelines_industrial_security_en.pdf [3] Information about Industrial Security by Siemens: http://www.siemens.com/industrialsecurity [4] Recommended security practices by ICS-CERT: http://ics-cert.us-cert.gov/content/recommended-practices [5] For further inquiries on vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: http://www.siemens.com/cert/advisories HISTORY DATA V1.0 (2015-01-19): Publication Date DISCLAIMER See: http://www.siemens.com/terms_of_use SSA-321046 © Siemens AG 2015 Page 2 of 2