Full Report
The latest update of the SCALANCE X-200 and X-300/X408 switches families fixes multiple OpenSSH vulnerabilities. The most severe of these vulnerabilities could allow a denial of service condition. Siemens has released updates for several affected products and recommends to update to the latest versions. Siemens is preparing further updates and recommends specific countermeasures for products where updates are not, or not yet available.
Analysis Summary
# Vulnerability: OpenSSH Vulnerabilities in SCALANCE X-200 and X-300/X408 Switches
## CVE Details
- **CVE ID:** CVE-2016-6515
- **CVSS Score:** 7.5 (High)
- **CWE:** CWE-20 (Improper Input Validation)
- **CVE ID:** CVE-2016-10708
- **CVSS Score:** 7.5 (High)
- **CWE:** CWE-476 (NULL Pointer Dereference)
- **CVE ID:** CVE-2016-10011
- **CVSS Score:** 5.5 (Medium)
- **CWE:** CWE-20 (Improper Input Validation)
## Affected Systems
- **Products:**
- SCALANCE X-200IRT Family (including X200-4P, X201-3P, X202-2IRT, and PRO variants)
- SCALANCE X-200 Family (including X204-2, X204-2FM, X204-2LD, X204-2TS)
- SCALANCE X-300 Family (including X408 and SIPLUS NET variants)
- **Versions:**
- X-200IRT: All versions < V5.5.2
- X-204: All versions < V5.2.5
- Other X-300/X-408: Check specific firmware updates via Siemens portal.
- **Configurations:** Systems with the SSH service enabled for remote management.
## Vulnerability Description
Multiple flaws exist in the OpenSSH implementation used by the SCALANCE switches:
- **CVE-2016-6515:** The `auth_password` function fails to limit password lengths. A remote attacker can send extremely long password strings to exhaust CPU resources through intensive cryptographic hashing.
- **CVE-2016-10708:** A NULL pointer dereference can be triggered via an out-of-sequence `NEWKEYS` message, leading to a daemon crash.
- **CVE-2016-10011:** Improper handling of `realloc` in `authfile.c` might allow a local user to leak sensitive private-key information from a privilege-separated child process.
## Exploitation
- **Status:**
- CVE-2016-6515: PoC available / Proof of concept exists.
- CVE-2016-10708: Not known to be exploited in the wild (as of advisory).
- CVE-2016-10011: Not exploited.
- **Complexity:** Low
- **Attack Vector:**
- CVE-2016-6515 & CVE-2016-10708: Network
- CVE-2016-10011: Local
## Impact
- **Confidentiality:** Medium (Local key info leakage)
- **Integrity:** None
- **Availability:** High (Remote Denial of Service / Component Crash)
## Remediation
### Patches
- **SCALANCE X-200IRT:** Update to V5.5.2 or later.
- **SCALANCE X-204:** Update to V5.2.5 or later.
- Siemens recommends checking the [Product Support Portal](https://support.industry.siemens.com/cs/ww/en/) for specific firmware for other X-300/X-408 models.
### Workarounds
- Disable the SSH service if it is not required for management.
- Protect network access to the devices via firewalls or VPNs.
- Implement "Defense in Depth" by ensuring the devices are not directly accessible from the internet.
## Detection
- **Indicators of Compromise:** Unexpected reboots of the switch, inability to access management interface via SSH, or spikes in CPU utilization without legitimate cause.
- **Detection methods and tools:** Network monitoring for unusually large password strings in SSH handshakes or malformed `NEWKEYS` packets.
## References
- **Vendor Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/pdf/ssa-676336[.]pdf
- **Siemens Support:** hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/109817790/
- **CWE Database:** hxxps://cwe[.]mitre[.]org/