Siemens Security Advisory by Siemens ProductCERT SSA-954136: User Impersonation Vulnerability in SCALANCE X-200IRT Switch Family Publication Date Last Update Current Version CVSS Overall Score 2015-02-02 2015-02-02 V1.0 5.3 Summary: The latest firmware update for the SCALANCE X-200IRT switch family fixes a vulnerability which could allow attackers to impersonate legitimate users of the web interface. AFFECTED PRODUCTS SCALANCE X-200IRT switch family: All versions < V5.2.0 Alternatively, the affected products may be identified by using their MLFB. Products with the following MLFBs are affected: 6GK5201-3BH00-2BA3 6GK5200-4AH00-2BA3 6GK5202-2BB00-2BA3 6GK5204-0BA00-2BA3 6GK5201-3JR00-2BA6 6GK5204-0BA00-2BF2 6GK5204-0JA00-2BA6 6GK5202-2JR00-2BA6 6GK5202-2BH00-2BA3 DESCRIPTION SCALANCE X-200IRT (Isochronous Realtime Ethernet) switches are used to connect industrial components like Programmable Logic Controllers (PLCs) or Human Machine Interfaces (HMIs). The switches offer a web interface to enable users to change the configuration using a common web browser. The vulnerability has been fixed in firmware version V5.2.0. Detailed information about the vulnerability is provided below. VULNERABILITY CLASSIFICATION The vulnerability classification has been performed by using the CVSSv2 scoring system (http://www.first.org/cvss/). The CVSS environmental score is specific to the customer's environment and will impact the overall CVSS score. The environmental score should therefore be individually defined by the customer to accomplish final scoring. Vulnerability Description (CVE-2015-1049) The device’s web server could allow unauthenticated attackers to impersonate legitimate users of the web interface (port 80/tcp and port 443/tcp) if an active web session of an authenticated user exists at the time of attack. CVSS Base Score CVSS Temporal Score CVSS Overall Score SSA-954136 6.8 5.3 5.3 (AV:N/AC:M/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C) © Siemens AG 2015 Page 1 of 2 Siemens Security Advisory by Siemens ProductCERT Mitigating Factors: The attacker must have network access to the device and a legitimate user must be logged in to the switches’ web interface. Siemens recommends operating the affected device only within trusted networks [2]. SOLUTION Siemens has released the SCALANCE X-200IRT firmware version V5.2.0 [1] which fixes the vulnerability and recommends updating as soon as possible. As a general security measure, Siemens strongly recommends to protect network access to the web interface of SCALANCE X-200IRT switches by appropriate mechanisms. It is advised to follow recommended security practices [4] and to configure the environment according to operational guidelines [2] in order to run the devices in a protected IT environment. ADDITIONAL RESOURCES [1] The firmware update can be obtained here: http://support.automation.siemens.com/WW/view/en/108892137 [2] An overview of the operational guidelines for Industrial Security (with the cell protection concept): http://www.industry.siemens.com/topics/global/en/industrialsecurity/Documents/operational_guidelines_industrial_security_en.pdf [3] Information about Industrial Security by Siemens: http://www.siemens.com/industrialsecurity [4] Recommended security practices by ICS-CERT: http://ics-cert.us-cert.gov/content/recommended-practices [5] For further inquiries regarding vulnerabilities in Siemens products and solutions, please contact Siemens ProductCERT: http://www.siemens.com/cert/advisories HISTORY DATA V1.0 (2015-02-02): Publication Date DISCLAIMER See: http://www.siemens.com/terms_of_use SSA-954136 © Siemens AG 2015 Page 2 of 2