Full Report
Siemens has released a new firmware version for SCALANCE X-200 and X-200 IRT switches that address Bad Alloc vulnerabilities in the underlying operating system and recommends to update to the latest versions. Siemens recommends countermeasures for products where updates are not, or not yet available.
Analysis Summary
# Vulnerability: BadAlloc Vulnerabilities in SCALANCE X-200/X-200 IRT Series Switches
## CVE Details
- CVE ID: CVE-2020-28895, CVE-2020-35198
- CVSS Score: 7.3 (CVE-2020-28895 - High), 7.2/8.6 (CVE-2020-35198 - High)
- CWE: CWE-190: Integer Overflow or Wraparound
## Affected Systems
- Products: SCALANCE X200-4P IRT, SCALANCE X201-3P IRT, SCALANCE X201-3P IRT PRO, SCALANCE X202-2IRT, SCALANCE X202-2P IRT, SCALANCE X202-2P IRT PRO, SCALANCE X204-2, SCALANCE X204-2FM (and potentially other products in the X-200/X-300 families mentioned in the full advisory).
- Versions:
- For X200-4P IRT and related IRT models: All versions < V5.5.2
- For SCALANCE X204-2 and related models: All versions < V5.2.6
- Configurations: Applies to firmware utilizing the affected versions of the underlying operating system (VxWorks).
## Vulnerability Description
This advisory addresses multiple "Bad Alloc" vulnerabilities stemming from Integer Overflow/Wraparound flaws within the underlying Wind River VxWorks operating system's memory allocation functions (`calloc()`, `cacheDmaMalloc()`, `cacheArchDmaMalloc()`, `mmap64()`).
1. **CVE-2020-28895**: An overflow during memory block size calculation in `calloc()` results in less memory being allocated than requested, leading to memory corruption.
2. **CVE-2020-35198**: Alignment calculations for requested buffer sizes in DMA/memory mapping APIs can cause an integer overflow, returning a pointer to a buffer smaller than specified, which enables heap overflow attacks.
## Exploitation
- Status: PoC available (Indicated by E:P in CVSS vectors for both CVEs, meaning Exploitation is Possible).
- Complexity: Low (CVE-2020-28895: AV:N/AC:L/PR:N/UI:N); High/Medium (CVE-2020-35198 implies PR:H, but overall complexity is generally viewed as low for network-based heap corruption).
- Attack Vector: Network (AV:N)
## Impact
The impact across both vulnerabilities suggests potential compromise of system stability and data security:
- Confidentiality: Low (CVE-2020-28895) / High (CVE-2020-35198)
- Integrity: Low (CVE-2020-28895) / High (CVE-2020-35198)
- Availability: Low (CVE-2020-28895) / High (CVE-2020-35198)
## Remediation
### Patches
Users must update to the following firmware versions or later:
* For SCALANCE X200-4P IRT and similar IRT models: **V5.5.2 or later**.
* For SCALANCE X204-2 and similar models: **V5.2.6 or later**.
### Workarounds
Siemens recommends implementing countermeasures for products where updates are not yet available (specific workarounds are not detailed in the summary provided but should be sought in the full advisory). Generic mitigation strategies should involve network segmentation and access control restrictions to limit potential network-based exploitation paths.
## Detection
- Indicators of compromise are typically related to abnormal system crashes or unexpected process termination resulting from memory corruption or heap overflows on the affected switch modules.
- Detection methods would involve monitoring switch logs for unusual memory access errors or anomalies following resource allocation requests. Full detection details would be in the vendor advisory.
## References
- Vendor Advisory: SSA-813746
- Siemens Support Link: hxxps://support.industry.siemens.com/cs/ww/en/view/109817790/ (For IRT models)
- Siemens Support Link: hxxps://support.industry.siemens.com/cs/ww/en/view/109811753/ (For X204-2 models)