Full Report
The SSH server on SCALANCE X-200IRT devices is configured to offer weak ciphers by default. This could allow an unauthorized attacker in a man-in-the-middle position to read and modify any data passed over the connection between legitimate clients and the affected device. Siemens has released updates for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Weak default SSH ciphers in SCALANCE X-200IRT
## CVE Details
- **CVE ID:** CVE-2023-29054
- **CVSS Score:** 6.7 (Medium)
- **CVSS Vector:** CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:H
- **CWE:** CWE-326: Inadequate Encryption Strength
## Affected Systems
- **Products:**
- SCALANCE X200-4P IRT
- SCALANCE X201-3P IRT (including PRO versions)
- SCALANCE X202-2IRT & X202-2P IRT (including PRO versions)
- SCALANCE X204IRT (including PRO versions)
- SCALANCE XF201-3P IRT
- SIPLUS NET devices based on the above SCALANCE hardware
- **Versions:** All versions prior to V5.5.2
- **Configurations:** Devices using default SSH server settings.
## Vulnerability Description
The SSH server on affected SCALANCE devices is configured to support weak encryption ciphers by default. Because these ciphers have known cryptographic weaknesses, they do not provide sufficient protection for the communication channel. A technical attacker positioned between the client and the device could perform a Man-in-the-Middle (MitM) attack to decrypt or alter traffic.
## Exploitation
- **Status:** PoC available (indicated by CVSS "E:P" flag)
- **Complexity:** High (Requires the attacker to successfully execute a Man-in-the-Middle position and exploit specific cryptographic weaknesses)
- **Attack Vector:** Adjacent (Attacker must be on the same local network or layered network segment)
## Impact
- **Confidentiality:** Low (Partial data exposure)
- **Integrity:** High (Attacker can modify data passed over the connection)
- **Availability:** High (Attacker could potentially inject commands that disrupt device operations)
## Remediation
### Patches
Siemens recommends updating all affected devices to version **V5.5.2** or later.
- Update files can be found via the Siemens Support portal: hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/109817790/
### Workarounds
*No specific technical workarounds were detailed in the advisory beyond general security hygiene; updating to the latest firmware is the primary remediation.*
## Detection
- **Indicators of compromise:** Presence of deprecated or weak ciphers (such as 3DES or certain CBC-mode ciphers) during SSH handshake negotiations.
- **Detection methods and tools:** Network security scanners (e.g., Nmap with SSH-enumeration scripts) or vulnerability scanners can be used to audit the SSH configuration of SCALANCE devices to identify if weak ciphers are enabled.
## References
- **Vendor Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/pdf/ssa-479249[.]pdf
- **Siemens ProductCERT:** hxxps://www[.]siemens[.]com/cert/advisories
- **CVSS/CWE Resources:**
- hxxps://www[.]first[.]org/cvss/
- hxxps://cwe[.]mitre[.]org/