Publication Date:
Last Update:
Current Version: V1.7
CVSS v3.1 Base Score: 9.0
CVSS v4.0 Base Score: 9.1
Un-/Collapse All
Affected Product and Versions Remediation

All versions < V5.6
affected by CVE-2024-3596
Update to V5.6 or later version
Expand children
Update to V4.3.11 or later version
Expand children
Update to V5.10.0 or later version
Expand children
Currently no fix is available

All versions < V3.2
affected by CVE-2024-3596
Update to V3.2 or later version
Expand children
Update to V8.2 or later version
Expand children
Currently no fix is available
Expand children
Update to V3.0.0 or later version
Expand children
Currently no fix is available
Expand children
Currently no fix is available
Expand children
Update to V4.1.9 or later version
Expand children
Update to V4.6 or later version
Expand children
Update to V1.3 or later version
Expand children
Update to V3.2 or later version
Expand children
Currently no fix is available

All versions < V1.0 SP2 Update 4 only when the Relay feature is enabled
affected by CVE-2024-3596
Update to V1.0 SP2 Update 4 or later version
  • Restrict access to the networks where RADIUS messages are exchanged (e.g., send RADIUS traffic via management network or a dedicated VLAN)
  • Configure the RADIUS server to require the presence of a Message-Authenticator attribute in all Access-Request packets from RADIUS client devices that support it

Please follow the General Security Recommendations.

As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity

Un-/Collapse All

This chapter describes all vulnerabilities (CVE-IDs) addressed in this security advisory. Wherever applicable, it also documents the product-specific impact of the individual vulnerabilities.

CVSS v3.1 Base Score 9.0
CVSS v3.1 Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CVSS v4.0 Base Score 9.1
CVSS v4.0 Vector CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H
CWE CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel

Note regarding SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family (MSPS) and SCALANCE XCM-/XRM-/XCH-/XRH-300 family (SINEC OS): If you have migrated your device(s) from SINEC OS to MSPS firmware or vice versa, please consider the respective measures in the MSPS or SINEC OS specific product families.

Description of the Vulnerability

The vulnerability could allow on-path attackers, located between a Network Access Server (the RADIUS client, e.g., SCALANCE or RUGGEDCOM devices) and a RADIUS server (e.g., SINEC INS), to forge Access-Request packets in a way that enables them to modify the corresponding server response packet at will, e.g., turning an "Access-Reject" message into an "Access-Accept". This would cause the Network Access Server to grant the attackers access to the network with the attackers desired authorization (and without the need of knowing or guessing legitimate access credentials).

Successful attacks are demonstrated against RADIUS/UDP (IETF RFC 2865), similar attacks are considered possible against RADIUS/TCP (IETF RFC 6613). RADIUS/TLS (IETF RFC 6614) and RADIUS/DTLS (IETF RFC 7360) are not vulnerable.

Impact to SCALANCE and RUGGEDCOM Products, Countermeasures

SCALANCE and RUGGEDCOM devices use RADIUS/UDP and are therefore considered vulnerable, except for the IEEE 802.1X port security feature.

To fix the issue, specific countermeasures are required on both RADIUS client and RADIUS server side. In typical deployments, SCALANCE and RUGGEDCOM devices as well as RUGGEDCOM CROSSBOW are configured as RADIUS clients. SINEC INS as well as other 3rd party products are RADIUS servers.

RADIUS clients need to:

  • C1. Ensure that all Access-Request packets they send to the server contain a Message-Authenticator attribute.
  • C2. Implement a per-server configuration flag which requires that all Access-accept, Access-Reject, and Access-Challenge packets coming from a server must contain a Message-Authenticator attribute.

RADIUS servers need to:

  • S1. Ensure that all replies to Access-Request packets contain a Message-Authenticator attribute as the first attribute in the packet.
  • S2. Implement a per-client configuration flag which requires that all Access-Request packets coming from a client must contain a Message-Authenticator attribute.
  • S3. If the server is also configured as a proxy (i.e., forwards certain client Access-Requests to another RADIUS server): Ensure that all proxied Access-Request packets contain a Message-Authenticator attribute.

The issue is fully mitigated only, if all recommendations are enforced in all RADIUS clients and servers. However, every individual recommendation decreases the likelihood of a successful attack.

Status

  • RUGGEDCOM CROSSBOW: C1 is implemented in all versions; C2 is implemented in V5.6 or later.
  • RUGGEDCOM ROS V4.X family: C1 and C2 are not implemented before V4.3.11; both are implemented in V4.3.11 or later. C2 can be configured from CLI / webUI at: Administration -> Configure Security Server -> Configure RADIUS Server -> Select Server (primary and/or backup) -> Force Msg-Auth attr = (YES, NO). The default value of Force Msg-Auth attr = NO. If your RADIUS server supports the message authenticator attribute, it is recommended to set it to YES.
  • RUGGEDCOM ROS V5.X family: C1 and C2 are not implemented before V5.10.0; both are implemented in V5.10.0 or later. C2 can be configured as described for the RUGGEDCOM ROS V4.X family.
  • RUGGEDCOM RST2428P: C1 is implemented in all versions; C2 is implemented in V3.2 or later.
  • RUGGEDCOM devices, except the ones already listed above: C1 and C2 are not implemented in current versions; both are planned to be implemented in a future version.
  • SCALANCE M-800 family (incl. S615, MUM-800 and RM1224): C1 is implemented in all versions; C2 is implemented in V8.2 or later.
  • SCALANCE W-700 IEEE 802.11ax family: C1 is implemented in all versions; C2 is implemented in V3.0.0 or later.
  • SCALANCE X-300 family (incl. X408 and SIPLUS NET variants): C1 is implemented in V4.1.8 or later; C2 is implemented in V4.1.9 or later.
  • SCALANCE XB-200/XC-200/XP-200/XF-200BA/XR-300WG family: C1 is implemented in all versions; C2 is implemented in V4.6 or later.
  • SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family: C1 is implemented in all MSPS versions; C2 is implemented in MSPS V1.3 or later.
  • SCALANCE XCM-/XRM-/XCH-/XRH-300 family: C1 is implemented in all SINEC OS versions; C2 is implemented in SINEC OS V3.2 or later.
  • SCALANCE devices, except the ones already listed above: C1 is implemented in all versions; C2 is planned to be implemented in a future version.
  • SINEC INS, when RADIUS Server feature is enabled: S1 is implemented in all versions for all clients that support C1; S2 is implemented in all versions.
  • SINEC INS, when the Relay feature is configured: S3 is not implemented before V1.0 SP2 Update 4; S3 is implemented in V1.0 SP2 Update 4 or later.

Specific Countermeasures

  • RUGGEDCOM CROSSBOW: Ensure that the RADIUS server(s) in your deployment implement S1-S3; ensure that S2 is enabled for RUGGEDCOM CROSSBOW; Update RUGGEDCOM CROSSBOW to V5.6 or later version to support C2. Alternatively, consider to use a different supported method for authentication: AD, RSA or a combination of both.
  • RUGGEDCOM ROS V4.X family: Update to V4.3.11 or later version and consider the information in the Status section above.
  • RUGGEDCOM ROS V5.X family: Update to V5.10.0 or later version and consider the information in the Status section above.
  • RUGGEDCOM RST2428P: Update to V3.2 or later version and enforce by configuration that all packets coming from the RADIUS server contain a Message-Authenticator attribute (if the RADIUS server supports it).
  • RUGGEDCOM devices, except the ones already listed above: Ensure that the RADIUS server(s) in your deployment implement S1-S3, but keep S2 disabled for RUGGEDCOM devices; as soon as a new firmware version is available that supports C1 and C2: update all devices and enable S2 on the server.
  • SCALANCE M-800 family (incl. S615, MUM-800 and RM1224): Update to V8.2 or later version and enforce by configuration that all packets coming from the RADIUS server contain a Message-Authenticator attribute (if the RADIUS server supports it).
  • SCALANCE W-700 IEEE 802.11ax family: Update to V3.0.0 or later version and enforce by configuration that all packets coming from the RADIUS server contain a Message-Authenticator attribute (if the RADIUS server supports it).
  • SCALANCE X-300 family (incl. X408 and SIPLUS NET variants): Update to 4.1.9 or later version and enforce by configuration that all packets coming from the RADIUS server contain a Message-Authenticator attribute (if the RADIUS server supports it).
  • SCALANCE XB-200/XC-200/XP-200/XF-200BA/XR-300WG family: Update to 4.6 or later version and enforce by configuration that all packets coming from the RADIUS server contain a Message-Authenticator attribute (if the RADIUS server supports it).
  • SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family: Update to MSPS V1.3 or later version and enforce by configuration that all packets coming from the RADIUS server contain a Message-Authenticator attribute (if the RADIUS server supports it).
  • SCALANCE XCM-/XRM-/XCH-/XRH-300 family: Update to SINEC OS V3.2 or later version and enforce by configuration that all packets coming from the RADIUS server contain a Message-Authenticator attribute (if the RADIUS server supports it).
  • SCALANCE devices, except the ones already listed above: Update all devices to the latest available firmware version; ensure that the RADIUS server(s) in your deployment implement S1-S3; ensure that S2 is enabled for all SCALANCE devices; as soon as a new firmware version is available that supports C2: update all devices.
  • SINEC INS, when RADIUS Server feature is enabled: Configure S2 for all clients that support C1.
  • SINEC INS, when the Relay feature is configured: Update SINEC INS to V1.0 SP2 Update 4 or later version.

More Information

https://www.siemens.com/cert/advisories
V1.0 (2024-07-09): Publication Date
V1.1 (2024-07-22): Clarified that the fix for SCALANCE X-300 family (incl. X408 and SIPLUS NET variants) in V4.1.8 only covers RADIUS client mitigation C1, but not C2
V1.2 (2024-11-12): Added fix for RUGGEDCOM CROSSBOW
V1.3 (2024-12-10): Added fix (and related important recommendations in chapter Additional Information) for RUGGEDCOM ROS V4.x devices; Added additional SINEC OS-based devices as affected products: RUGGEDCOM RST2428P and SCALANCE XC-300, XR-300, XC-400 families, and additional devices in the SCALANCE XR-500 family
V1.4 (2025-01-14): Added fix for SCALANCE W-700 IEEE 802.11ax family and for SCALANCE M-800 family (incl. S615, MUM-800 and RM1224)
V1.5 (2025-03-11): Added fix for SCALANCE X-300 family (incl. X408 and SIPLUS NET variants)
V1.6 (2025-06-10): Clarified that SINEC INS is only affected when the Relay feature is used; added fix for the RUGGEDCOM RST2428P, SCALANCE XC-300, SCALANCE XC-400 and SCALANCE XR-300 (6GK5334-xTSxx) families and for some of the devices in the SCALANCE XM-400/XR-500 and SCALANCE XCM-/XRM-/XCH-/XRH-300 families
V1.7 (2025-07-08): Added fix for SCALANCE XB-200/XC-200/XP-200/XF-200BA/XR-300WG family, for SCALANCE XC-300/XR-300/XC-400/XR-500WG/XR-500 family (MSPS V1.3), for RUGGEDCOM ROS V5.X family and for SINEC INS (relay feature); Clarified the applicability of the MSPS V1.3 and the SINEC OS V3.2 fix releases for product families that support both