Publication Date:
Last Update:
Current Version: V1.6
CVSS v3.1 Base Score: 9.0
CVSS v4.0 Base Score: 9.1
Un-/Collapse All
Affected Product and Versions Remediation

All versions < V5.6
affected by CVE-2024-3596
Update to V5.6 or later version
Expand children
Update to V4.3.11 or later version
Expand children
Currently no fix is available
Expand children
Currently no fix is available

All versions < V3.2
affected by CVE-2024-3596
Update to V3.2 or later version
Expand children
Update to V8.2 or later version
Expand children
Currently no fix is available
Expand children
Update to V3.0.0 or later version
Expand children
Currently no fix is available
Expand children
Currently no fix is available
Expand children
Update to V4.1.9 or later version
Expand children
Currently no fix is available
Expand children
Update to V3.2 or later version
Expand children
Update to V3.2 or later version
Expand children
Show more details
Expand children
Show more details
Expand children
Update to V3.2 or later version

All versions only when the Relay feature is enabled
affected by CVE-2024-3596
Currently no fix is planned
  • Restrict access to the networks where RADIUS messages are exchanged (e.g., send RADIUS traffic via management network or a dedicated VLAN)
  • Configure the RADIUS server to require the presence of a Message-Authenticator attribute in all Access-Request packets from RADIUS client devices that support it

Please follow the General Security Recommendations.

As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity

Un-/Collapse All

This chapter describes all vulnerabilities (CVE-IDs) addressed in this security advisory. Wherever applicable, it also documents the product-specific impact of the individual vulnerabilities.

CVSS v3.1 Base Score 9.0
CVSS v3.1 Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS v4.0 Base Score 9.1
CVSS v4.0 Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H
CWE CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel

Description

The vulnerability could allow on-path attackers, located between a Network Access Server (the RADIUS client, e.g., SCALANCE or RUGGEDCOM devices) and a RADIUS server (e.g., SINEC INS), to forge Access-Request packets in a way that enables them to modify the corresponding server response packet at will, e.g., turning an "Access-Reject" message into an "Access-Accept". This would cause the Network Access Server to grant the attackers access to the network with the attackers desired authorization (and without the need of knowing or guessing legitimate access credentials).

Successful attacks are demonstrated against RADIUS/UDP (IETF RFC 2865), similar attacks are considered possible against RADIUS/TCP (IETF RFC 6613). RADIUS/TLS (IETF RFC 6614) and RADIUS/DTLS (IETF RFC 7360) are not vulnerable.

Impact to SCALANCE and RUGGEDCOM Products, Countermeasures

SCALANCE and RUGGEDCOM devices use RADIUS/UDP and are therefore considered vulnerable, except for the IEEE 802.1X port security feature.

To fix the issue, specific countermeasures are required on both RADIUS client and RADIUS server side. In typical deployments, SCALANCE and RUGGEDCOM devices as well as RUGGEDCOM CROSSBOW are configured as RADIUS clients. SINEC INS as well as other 3rd party products are RADIUS servers.

RADIUS clients need to:

  • C1. Ensure that all Access-Request packets they send to the server contain a Message-Authenticator attribute.
  • C2. Implement a per-server configuration flag which requires that all Access-accept, Access-Reject, and Access-Challenge packets coming from a server must contain a Message-Authenticator attribute.

RADIUS servers need to:

  • S1. Ensure that all replies to Access-Request packets contain a Message-Authenticator attribute as the first attribute in the packet.
  • S2. Implement a per-client configuration flag which requires that all Access-Request packets coming from a client must contain a Message-Authenticator attribute.
  • S3. If the server is also configured as a proxy (i.e., forwards certain client Access-Requests to another RADIUS server): Ensure that all proxied Access-Request packets contain a Message-Authenticator attribute.

The issue is fully mitigated only, if all recommendations are enforced in all RADIUS clients and servers. However, every individual recommendation decreases the likelihood of a successful attack.

Status

  • SCALANCE W-700 IEEE 802.11ax family: C1 is implemented in current firmware versions; C2 is supported starting with V3.0.0.
  • SCALANCE M-800 family (incl. S615, MUM-800 and RM1224): C1 is implemented in current firmware versions; C2 is supported starting with V8.2.
  • SCALANCE X-300 family (incl. X408 and SIPLUS NET variants): C1 is implemented since firmware version V4.1.8; C2 is implemented since firmware version V4.1.9.
  • RUGGEDCOM RST2428P, SCALANCE XC-300, SCALANCE XC-400 and SCALANCE XR-300 (6GK5334-xTSxx) families, and some of the devices in the SCALANCE XM-400/XR-500 and SCALANCE XCM-/XRM-/XCH-/XRH-300 families: C1 is implemented in current firmware versions; C2 is implemented since SINEC OS version V3.2.
  • SCALANCE devices, except the ones already listed above: C1 is implemented in current firmware versions; C2 is planned to be implemented in a future version.
  • RUGGEDCOM (ROX and ROS V5.x based) devices: C1 and C2 are not supported in current firmware versions; both are planned to be implemented in a future version.
  • RUGGEDCOM (ROS V4.x based) devices: C1 and C2 are not supported in firmware versions below V4.3.11; both are supported starting with V4.3.11. C2 can be configured from CLI / webUI at: Administration -> Configure Security Server -> Configure RADIUS Server -> Select Server (primary and/or backup) -> Force Msg-Auth attr = (YES, NO). The default value of Force Msg-Auth attr = NO. If your RADIUS server supports the message authenticator attribute, it is recommended to set it to YES.
  • RUGGEDCOM CROSSBOW: C1 is implemented in current versions; C2 is implemented in V5.6 and later versions.
  • SINEC INS, when RADIUS Server feature is enabled: S1 is implemented in current versions for all clients that support C1; S2 is implemented in current versions.
  • SINEC INS, when the Relay feature is configured: S3 is not implemented, all packets are forwarded unchanged.

Specific Countermeasures

  • SCALANCE W-700 IEEE 802.11ax family: Update to V3.0.0 or later version and enforce by configuration that all packets coming from the RADIUS server contain a Message-Authenticator attribute (if the RADIUS server supports it).
  • SCALANCE M-800 family (incl. S615, MUM-800 and RM1224): Update to V8.2 or later version and enforce by configuration that all packets coming from the RADIUS server contain a Message-Authenticator attribute (if the RADIUS server supports it).
  • SCALANCE X-300 family (incl. X408 and SIPLUS NET variants): Update to 4.1.9 or later version and enforce by configuration that all packets coming from the RADIUS server contain a Message-Authenticator attribute (if the RADIUS server supports it).
  • RUGGEDCOM RST2428P, SCALANCE XC-300, SCALANCE XC-400 and SCALANCE XR-300 (6GK5334-xTSxx) families, and some of the devices in the SCALANCE XM-400/XR-500 and SCALANCE XCM-/XRM-/XCH-/XRH-300 families: Update to SINEC OS V3.2 or later version and enforce by configuration that all packets coming from the RADIUS server contain a Message-Authenticator attribute (if the RADIUS server supports it).
  • SCALANCE devices, except the ones already listed above: Update all devices to the latest available firmware version; ensure that the RADIUS server(s) in your deployment implement S1-S3; ensure that S2 is enabled for all SCALANCE devices; as soon as a new firmware version is available that supports C2: update all devices.
  • RUGGEDCOM (ROX and ROS V5.x based) devices: Ensure that the RADIUS server(s) in your deployment implement S1-S3, but keep S2 disabled for RUGGEDCOM devices; as soon as a new firmware version is available that supports C1 and C2: update all devices and enable S2 on the server.
  • RUGGEDCOM (ROS V4.x based) devices: Update to V4.3.11 or later version and consider the information in the Status section above.
  • RUGGEDCOM CROSSBOW: Ensure that the RADIUS server(s) in your deployment implement S1-S3; ensure that S2 is enabled for RUGGEDCOM CROSSBOW; Update RUGGEDCOM CROSSBOW to V5.6 or later version to support C2. Alternatively, consider to use a different supported method for authentication: AD, RSA or a combination of both.
  • SINEC INS, when RADIUS Server feature is enabled: Configure S2 for all clients that support C1
  • SINEC INS, when the Relay feature is configured: Ensure that the connections between SINEC INS and the configured RADIUS server groups are secured and access-restricted (e.g. via IPSec or VPN)

More Information

https://www.siemens.com/cert/advisories
V1.0 (2024-07-09): Publication Date
V1.1 (2024-07-22): Clarified that the fix for SCALANCE X-300 family (incl. X408 and SIPLUS NET variants) in V4.1.8 only covers RADIUS client mitigation C1, but not C2
V1.2 (2024-11-12): Added fix for RUGGEDCOM CROSSBOW
V1.3 (2024-12-10): Added fix (and related important recommendations in chapter Additional Information) for RUGGEDCOM ROS V4.x devices; Added additional SINEC OS-based devices as affected products: RUGGEDCOM RST2428P and SCALANCE XC-300, XR-300, XC-400 families, and additional devices in the SCALANCE XR-500 family
V1.4 (2025-01-14): Added fix for SCALANCE W-700 IEEE 802.11ax family and for SCALANCE M-800 family (incl. S615, MUM-800 and RM1224)
V1.5 (2025-03-11): Added fix for SCALANCE X-300 family (incl. X408 and SIPLUS NET variants)
V1.6 (2025-06-10): Clarified that SINEC INS is only affected when the Relay feature is used; added fix for the RUGGEDCOM RST2428P, SCALANCE XC-300, SCALANCE XC-400 and SCALANCE XR-300 (6GK5334-xTSxx) families and for some of the devices in the SCALANCE XM-400/XR-500 and SCALANCE XCM-/XRM-/XCH-/XRH-300 families