Full Report
Several SCALANCE X switches contain multiple vulnerabilities. An unauthenticated attacker could reboot, cause denial-of-service conditions and potentially impact the system by other means through heap and buffer overflow vulnerabilities. Siemens has released updates for several affected products and recommends to update to the latest versions. Siemens is preparing further updates and recommends specific countermeasures for products where updates are not, or not yet available.
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in Siemens SCALANCE X Switch Devices
## CVE Details
- **CVE ID:** CVE-2022-26647
- **CVSS Score:** 8.8 (High)
- **CWE:** CWE-330: Use of Insufficiently Random Values
- **CVE ID:** CVE-2022-26648
- **CVSS Score:** 8.2 (High)
- **CWE:** CWE-120: Classic Buffer Overflow
- **CVE ID:** CVE-2022-26649
- **CVSS Score:** 9.6 (Critical)
- **CWE:** CWE-120: Classic Buffer Overflow
## Affected Systems
- **Products:**
- SCALANCE X200-4P IRT, X201-3P IRT (Standard and PRO), X202-2IRT, X202-2P IRT (Standard and PRO)
- SCALANCE X204-2, X204-2FM, X204-2LD, X204-2LD TS
- **Versions:**
- SCALANCE X-200IRT family: All versions < V5.5.2
- SCALANCE X-204 family: All versions < V5.2.6
- **Configurations:** Systems with the web management interface enabled are primarily at risk.
## Vulnerability Description
The SCALANCE X switches suffer from three distinct flaws in their web server implementation:
1. **Insecure Session Management (CVE-2022-26647):** The device calculates session IDs and nonces using weak randomness. This allows an attacker to brute-force active sessions and hijack them.
2. **GET Parameter Overflow (CVE-2022-26648):** The device fails to validate the `XNo` GET parameter, leading to a buffer overflow that can crash the device.
3. **URI Validation Overflow (CVE-2022-26649):** The device does not properly validate the URI of incoming HTTP GET requests, allowing for a heap/buffer overflow that can lead to a complete system crash or potential remote code execution.
## Exploitation
- **Status:** Proof of Concept (PoC) available (indicated by 'E:P' in CVSS vectors).
- **Complexity:** Low
- **Attack Vector:**
- Network (CVE-2022-26647)
- Adjacent (CVE-2022-26648, CVE-2022-26649)
## Impact
- **Confidentiality:** High (Session hijacking and potential system access)
- **Integrity:** High (Ability to modify switch configurations)
- **Availability:** High (Device reboot and Denial-of-Service)
## Remediation
### Patches
- **SCALANCE X-200IRT Family:** Update to V5.5.2 or later.
- **SCALANCE X-204 Family:** Update to V5.2.6 or later.
### Workarounds
- Disable the web server (HTTP/HTTPS management interface) if not required.
- Restrict access to the management interface using firewall rules or Access Control Lists (ACLs).
- Ensure the management network is isolated from the general production network.
## Detection
- **Indicators of Compromise:** Unexpected device reboots, unauthorized configuration changes, or high volumes of suspicious HTTP GET requests containing long URIs or unusual characters in the `XNo` parameter.
- **Detection methods:** Use Intrusion Detection Systems (IDS) to monitor for brute-force attempts on session IDs or malformed HTTP requests targeting the management IP of SCALANCE switches.
## References
- Siemens Advisory: [https://cert-portal.siemens.com/productcert/html/ssa-310038.html](https://cert-portal.siemens.com/productcert/html/ssa-310038.html)
- SCALANCE X-200IRT Firmware: [https://support.industry.siemens.com/cs/ww/en/view/109817790/](https://support.industry.siemens.com/cs/ww/en/view/109817790/)
- SCALANCE X-204 Firmware: [https://support.industry.siemens.com/cs/ww/en/view/109811753/](https://support.industry.siemens.com/cs/ww/en/view/109811753/)