Full Report
Siemens has closed serious vulnerabilities in its solutions. Affected devices include SCALANCE M875 industrial routers and SCALANCE X switches
Analysis Summary
Based on the Siemens security advisory regarding SCALANCE industrial networking devices, here is the technical summary of the vulnerabilities.
# Vulnerability: Multiple Flaws in Siemens SCALANCE Routers and Switches
## CVE Details
- **CVE ID:** CVE-2018-11451
- **CVSS Score:** 7.5 (High)
- **CWE:** CWE-20 (Improper Input Validation)
- **CVE ID:** CVE-2018-11452
- **CVSS Score:** 5.3 (Medium)
- **CWE:** CWE-200 (Information Exposure)
## Affected Systems
- **Products:**
- SCALANCE M-800 / S615 family (Industrial Routers/Firewalls)
- SCALANCE X-200IRT (Industrial Ethernet Switches)
- **Versions:**
- SCALANCE M-800 / S615: All versions prior to v5.2.1
- SCALANCE X-200IRT: All versions prior to v5.4.1
- **Configurations:** Devices with the web-based management interface enabled.
## Vulnerability Description
The primary vulnerability (**CVE-2018-11451**) involves improper validation of input during specific HTTP requests. An unauthenticated remote attacker can send a specially crafted packet to the web server (Port 80/TCP or 443/TCP) of the affected device, causing the management service to crash, resulting in a Denial of Service (DoS) condition.
The secondary vulnerability (**CVE-2018-11452**) allows an unauthenticated attacker to access certain system information via the web interface that should otherwise be protected, leading to information disclosure that could assist in further attacks.
## Exploitation
- **Status:** Not exploited (No reports of active exploitation in the wild at the time of disclosure).
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** Low (Information disclosure in CVE-2018-11452)
- **Integrity:** None
- **Availability:** High (Service crash/DoS in CVE-2018-11451)
## Remediation
### Patches
Siemens released the following firmware updates to address these issues:
- **SCALANCE M-800 / S615:** Update to version **v5.2.1** or later.
- **SCALANCE X-200IRT:** Update to version **v5.4.1** or later.
### Workarounds
If patching is not immediately possible:
- Disable the Web-based Management interface if not required for operations.
- Use the CLI (Command Line Interface) for configuration.
- Restrict access to the management ports (80/443) to trusted IP addresses using external firewalls.
## Detection
- **Indicators of Compromise:** Intermittent loss of access to the Web-Based Management (WBM) interface or unexpected device reboots.
- **Detection methods:** Monitor network traffic for unusual HTTP/HTTPS patterns directed at SCALANCE management IPs. Utilize ICS-aware IDS signatures to identify malformed packets targeting Siemens web services.
## References
- **Siemens Security Advisory SSA-344937:** hxxps[://]cert-portal.siemens[.]com/productcert/pdf/ssa-344937.pdf
- **Kaspersky ICS CERT:** hxxps[://]ics-cert.kaspersky[.]com/publications/blog/2018/06/19/dangerous-vulnerabilities-fixed-in-siemens-routers-and-switches/
- **NVD CVE-2018-11451:** hxxps[://]nvd.nist[.]gov/vuln/detail/CVE-2018-11451