Full Report
SCALANCE XCM-/XRM-300 before V2.4 is affected by multiple vulnerabilities. Siemens has released an update for SCALANCE X-300 and recommends to update to the latest version.
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in SCALANCE XCM-/XRM-300
## CVE Details
This advisory addresses several vulnerabilities. Significant entries include:
- **CVE-2022-42916**: CVSS 9.8 (Critical) | CWE-125 (Out-of-bounds Read)
- **CVE-2022-47629**: CVSS 9.8 (Critical) | CWE-190 (Integer Overflow)
- **CVE-2022-48434**: CVSS 8.1 (High) | CWE-416 (Use After Free)
- **CVE-2023-0361**: CVSS 7.4 (High) | CWE-203 (Observable Discrepancy)
- **CVE-2023-0568**: CVSS 7.5 (High) | CWE-131 (Incorrect Calculation of Buffer Size)
- **CVE-2023-37920**: CVSS 7.5 (High) | CWE-345 (Insufficient Verification)
- **CVE-2023-40283**: CVSS 7.8 (High) | CWE-416 (Use After Free)
## Affected Systems
- **Products**: SCALANCE XCM-300 and XRM-300 series industrial switches (e.g., XCH328, XCM332, XRM326).
- **Versions**: All versions prior to V2.4.
- **Configurations**: Specific vulnerabilities depend on the use of sub-components such as Mbed TLS, Libksba, PHP, GnuTLS, and the Linux Kernel.
## Vulnerability Description
The SCALANCE XCM-/XRM-300 firmware contains multiple third-party library flaws. These include:
- **Remote Code Execution (RCE)**: Resulting from integer overflows in Libksba (CRL signature parsing) and out-of-bounds reads in Mbed TLS.
- **Memory Corruption**: Use-after-free conditions in the Linux kernel and FFmpeg, and buffer overflows in Ghostscript.
- **Denial of Service (DoS)**: Deadlocks in the BPF subsystem and resource exhaustion via excessive HTTP form parts in PHP.
- **Cryptographic Weaknesses**: Bleichenbacher-style timing side-channels in GnuTLS and untrusted root certificates (e-Tugra) in Certifi.
## Exploitation
- **Status**: PoC available for several identified CVEs (indicated by "E:P" in CVSS vectors). No confirmed exploitation in the wild at the time of publication.
- **Complexity**: Variable. Ranging from **Low** (CVE-2022-47629) to **High** (CVE-2023-0361 side-channel attacks).
- **Attack Vector**: Primarily **Network** for critical flaws; some local/adjacent vectors for kernel-level flaws.
## Impact
- **Confidentiality**: High (Data theft and key recovery possible).
- **Integrity**: High (System modification and unauthorized access).
- **Availability**: High (System crashes and DoS).
## Remediation
### Patches
- **SCALANCE XCM-300 / XRM-300**: Update to version **V2.4** or later.
### Workarounds
Siemens recommends the following general security measures if patching is not immediately possible:
- Protect network access with firewalls.
- Implement a "Defense in Depth" security concept.
- Isolate industrial networks from the enterprise network.
## Detection
- **Indicators of Compromise**: Monitor for unusual HTTP upload patterns (PHP DoS), unexpected system reboots, or unauthorized credential usage.
- **Detection methods**: Utilize Industrial Intrusion Detection Systems (IIDS) and vulnerability scanners to identify firmware versions below V2.4.
## References
- **Vendor Advisory**: hxxps://cert-portal[.]siemens[.]com/productcert/html/ssa-806742[.]html
- **Siemens ProductCERT**: hxxps://www[.]siemens[.]com/cert/advisories