-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

# SSA-145224: Vulnerability in OSPF Packet Handling of SCALANCE XM-400 and XR-500
Devices

Publication Date:        2022-06-14
Last Update:             2022-06-14
Current Version:         1.0
CVSS v3.1 Base Score:    5.9

SUMMARY
=======

SCALANCE XM-400 and XR-500 devices contain a vulnerability in the OSPF
protocol implementation that could allow an unauthenticated remote
attacker to cause interruptions in the network.

Siemens has released updates for the affected products and recommends to
update to the latest versions.


AFFECTED PRODUCTS AND SOLUTION
==============================


* SCALANCE XM408-4C (6GK5408-4GP00-2AM2)
  - Affected versions:
       All versions < V6.5
  - Remediation:
       Update to V6.5 or later version
       See further recommendations from section "Workarounds and Mitigations"
  - Download:
       https://support.industry.siemens.com/cs/ww/en/view/109809635/

* SCALANCE XM408-4C (L3 int.) (6GK5408-4GQ00-2AM2)
  - Affected versions:
       All versions < V6.5
  - Remediation:
       Update to V6.5 or later version
       See further recommendations from section "Workarounds and Mitigations"
  - Download:
       https://support.industry.siemens.com/cs/ww/en/view/109809635/

* SCALANCE XM408-8C (6GK5408-8GS00-2AM2)
  - Affected versions:
       All versions < V6.5
  - Remediation:
       Update to V6.5 or later version
       See further recommendations from section "Workarounds and Mitigations"
  - Download:
       https://support.industry.siemens.com/cs/ww/en/view/109809635/

* SCALANCE XM408-8C (L3 int.) (6GK5408-8GR00-2AM2)
  - Affected versions:
       All versions < V6.5
  - Remediation:
       Update to V6.5 or later version
       See further recommendations from section "Workarounds and Mitigations"
  - Download:
       https://support.industry.siemens.com/cs/ww/en/view/109809635/

* SCALANCE XM416-4C (6GK5416-4GS00-2AM2)
  - Affected versions:
       All versions < V6.5
  - Remediation:
       Update to V6.5 or later version
       See further recommendations from section "Workarounds and Mitigations"
  - Download:
       https://support.industry.siemens.com/cs/ww/en/view/109809635/

* SCALANCE XM416-4C (L3 int.) (6GK5416-4GR00-2AM2)
  - Affected versions:
       All versions < V6.5
  - Remediation:
       Update to V6.5 or later version
       See further recommendations from section "Workarounds and Mitigations"
  - Download:
       https://support.industry.siemens.com/cs/ww/en/view/109809635/

* SCALANCE XR524-8C, 1x230V (6GK5524-8GS00-3AR2)
  - Affected versions:
       All versions < V6.5
  - Remediation:
       Update to V6.5 or later version
       See further recommendations from section "Workarounds and Mitigations"
  - Download:
       https://support.industry.siemens.com/cs/ww/en/view/109809635/

* SCALANCE XR524-8C, 1x230V (L3 int.) (6GK5524-8GR00-3AR2)
  - Affected versions:
       All versions < V6.5
  - Remediation:
       Update to V6.5 or later version
       See further recommendations from section "Workarounds and Mitigations"
  - Download:
       https://support.industry.siemens.com/cs/ww/en/view/109809635/

* SCALANCE XR524-8C, 2x230V (6GK5524-8GS00-4AR2)
  - Affected versions:
       All versions < V6.5
  - Remediation:
       Update to V6.5 or later version
       See further recommendations from section "Workarounds and Mitigations"
  - Download:
       https://support.industry.siemens.com/cs/ww/en/view/109809635/

* SCALANCE XR524-8C, 2x230V (L3 int.) (6GK5524-8GR00-4AR2)
  - Affected versions:
       All versions < V6.5
  - Remediation:
       Update to V6.5 or later version
       See further recommendations from section "Workarounds and Mitigations"
  - Download:
       https://support.industry.siemens.com/cs/ww/en/view/109809635/

* SCALANCE XR524-8C, 24V (6GK5524-8GS00-2AR2)
  - Affected versions:
       All versions < V6.5
  - Remediation:
       Update to V6.5 or later version
       See further recommendations from section "Workarounds and Mitigations"
  - Download:
       https://support.industry.siemens.com/cs/ww/en/view/109809635/

* SCALANCE XR524-8C, 24V (L3 int.) (6GK5524-8GR00-2AR2)
  - Affected versions:
       All versions < V6.5
  - Remediation:
       Update to V6.5 or later version
       See further recommendations from section "Workarounds and Mitigations"
  - Download:
       https://support.industry.siemens.com/cs/ww/en/view/109809635/

* SCALANCE XR526-8C, 1x230V (6GK5526-8GS00-3AR2)
  - Affected versions:
       All versions < V6.5
  - Remediation:
       Update to V6.5 or later version
       See further recommendations from section "Workarounds and Mitigations"
  - Download:
       https://support.industry.siemens.com/cs/ww/en/view/109809635/

* SCALANCE XR526-8C, 1x230V (L3 int.) (6GK5526-8GR00-3AR2)
  - Affected versions:
       All versions < V6.5
  - Remediation:
       Update to V6.5 or later version
       See further recommendations from section "Workarounds and Mitigations"
  - Download:
       https://support.industry.siemens.com/cs/ww/en/view/109809635/

* SCALANCE XR526-8C, 2x230V (6GK5526-8GS00-4AR2)
  - Affected versions:
       All versions < V6.5
  - Remediation:
       Update to V6.5 or later version
       See further recommendations from section "Workarounds and Mitigations"
  - Download:
       https://support.industry.siemens.com/cs/ww/en/view/109809635/

* SCALANCE XR526-8C, 2x230V (L3 int.) (6GK5526-8GR00-4AR2)
  - Affected versions:
       All versions < V6.5
  - Remediation:
       Update to V6.5 or later version
       See further recommendations from section "Workarounds and Mitigations"
  - Download:
       https://support.industry.siemens.com/cs/ww/en/view/109809635/

* SCALANCE XR526-8C, 24V (6GK5526-8GS00-2AR2)
  - Affected versions:
       All versions < V6.5
  - Remediation:
       Update to V6.5 or later version
       See further recommendations from section "Workarounds and Mitigations"
  - Download:
       https://support.industry.siemens.com/cs/ww/en/view/109809635/

* SCALANCE XR526-8C, 24V (L3 int.) (6GK5526-8GR00-2AR2)
  - Affected versions:
       All versions < V6.5
  - Remediation:
       Update to V6.5 or later version
       See further recommendations from section "Workarounds and Mitigations"
  - Download:
       https://support.industry.siemens.com/cs/ww/en/view/109809635/

* SCALANCE XR528-6M (6GK5528-0AA00-2AR2)
  - Affected versions:
       All versions < V6.5
  - Remediation:
       Update to V6.5 or later version
       See further recommendations from section "Workarounds and Mitigations"
  - Download:
       https://support.industry.siemens.com/cs/ww/en/view/109809635/

* SCALANCE XR528-6M (2HR2) (6GK5528-0AA00-2HR2)
  - Affected versions:
       All versions < V6.5
  - Remediation:
       Update to V6.5 or later version
       See further recommendations from section "Workarounds and Mitigations"
  - Download:
       https://support.industry.siemens.com/cs/ww/en/view/109809635/

* SCALANCE XR528-6M (2HR2, L3 int.) (6GK5528-0AR00-2HR2)
  - Affected versions:
       All versions < V6.5
  - Remediation:
       Update to V6.5 or later version
       See further recommendations from section "Workarounds and Mitigations"
  - Download:
       https://support.industry.siemens.com/cs/ww/en/view/109809635/

* SCALANCE XR528-6M (L3 int.) (6GK5528-0AR00-2AR2)
  - Affected versions:
       All versions < V6.5
  - Remediation:
       Update to V6.5 or later version
       See further recommendations from section "Workarounds and Mitigations"
  - Download:
       https://support.industry.siemens.com/cs/ww/en/view/109809635/

* SCALANCE XR552-12M (6GK5552-0AA00-2AR2)
  - Affected versions:
       All versions < V6.5
  - Remediation:
       Update to V6.5 or later version
       See further recommendations from section "Workarounds and Mitigations"
  - Download:
       https://support.industry.siemens.com/cs/ww/en/view/109809635/

* SCALANCE XR552-12M (2HR2) (6GK5552-0AA00-2HR2)
  - Affected versions:
       All versions < V6.5
  - Remediation:
       Update to V6.5 or later version
       See further recommendations from section "Workarounds and Mitigations"
  - Download:
       https://support.industry.siemens.com/cs/ww/en/view/109809635/

* SCALANCE XR552-12M (2HR2) (6GK5552-0AR00-2HR2)
  - Affected versions:
       All versions < V6.5
  - Remediation:
       Update to V6.5 or later version
       See further recommendations from section "Workarounds and Mitigations"
  - Download:
       https://support.industry.siemens.com/cs/ww/en/view/109809635/

* SCALANCE XR552-12M (2HR2, L3 int.) (6GK5552-0AR00-2AR2)
  - Affected versions:
       All versions < V6.5
  - Remediation:
       Update to V6.5 or later version
       See further recommendations from section "Workarounds and Mitigations"
  - Download:
       https://support.industry.siemens.com/cs/ww/en/view/109809635/


WORKAROUNDS AND MITIGATIONS
===========================

Siemens has identified the following specific workarounds and mitigations that
customers can apply to reduce the risk:

* Disable OSPF in the layer 3 configuration menu (note that OSPF is
disabled by default). The vulnerability is not exploitable, when OSPF is
disabled

* If OSPF is used, set a password for the OSPF interface and enable MD5
authentication


Product specific remediations or mitigations can be found in the section
"Affected Products and Solution".

Please follow the "General Security Recommendations".


GENERAL SECURITY RECOMMENDATIONS
================================

As a general security measure, Siemens strongly recommends to protect
network access to devices with appropriate mechanisms. In order to
operate the devices in a protected IT environment, Siemens recommends to
configure the environment according to Siemens' operational guidelines
for Industrial Security (Download:
https://www.siemens.com/cert/operational-guidelines-industrial-security),
and to follow the recommendations in the product manuals.

Additional information on Industrial Security by Siemens can be found
at: https://www.siemens.com/industrialsecurity

PRODUCT DESCRIPTION
===================

SCALANCE X switches are used to connect industrial components like
Programmable Logic Controllers (PLCs) or Human Machine Interfaces
(HMIs).

VULNERABILITY CLASSIFICATION
============================

The vulnerability classification has been performed by using the CVSS scoring
system in version 3.1 (CVSS v3.1) (https://www.first.org/cvss/). The CVSS
environmental score is specific to the customer's environment and will impact
the overall CVSS score. The environmental score should therefore be
individually defined by the customer to accomplish final scoring.

An additional classification has been performed using the CWE classification, a
community-developed list of common software security weaknesses. This serves as
a common language and as a baseline for weakness identification, mitigation,
and prevention efforts. A detailed list of CWE classes can be found at:
https://cwe.mitre.org/.



* Vulnerability CVE-2021-37182

  The OSPF protocol implementation in affected devices fails to verify the
  checksum and length fields in the OSPF LS Update messages.
  
  An unauthenticated remote attacker could exploit this vulnerability to
  cause interruptions in the network by sending specially crafted OSPF
  packets. Successful exploitation requires OSPF to be enabled on an
  affected device.

  CVSS v3.1 Base Score: 5.9
  CVSS Vector:          CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C
  CWE:                  CWE-354: Improper Validation of Integrity Check Value




ADDITIONAL INFORMATION
======================

For further inquiries on security vulnerabilities in Siemens products and
solutions, please contact the Siemens ProductCERT:

https://www.siemens.com/cert/advisories


HISTORY DATA
============

V1.0 (2022-06-14): Publication Date

TERMS OF USE
============

Siemens Security Advisories are subject to the terms and conditions contained
in Siemens' underlying license terms or other applicable agreements previously
agreed to with Siemens (hereinafter "License Terms"). To the extent applicable
to information, software or documentation made available in or through a
Siemens Security Advisory, the Terms of Use of Siemens' Global Website
(https://www.siemens.com/terms_of_use, hereinafter "Terms of Use"), in
particular Sections 8-10 of the Terms of Use, shall apply additionally. In case
of conflicts, the License Terms shall prevail over the Terms of Use.

Copyright: Siemens 2022
-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEHyx/myPwjH9jB9tDlm7gTEmyujQFAmKnz4AACgkQlm7gTEmy
ujS7pA//fqNyfFFfv7iucz3zzw7z1IRSxqUUHUOG4LZJjwm+D2dhqL1KyxsELfvb
OnXiN1PloIN4Sn7a6IQTKvE+f8eOThjinkEgcqPMn9Suxz2fY/xnA3Z7MGx/l2tm
fA7Imt0pjowuOonq8EBHp4CBqhauaFls64W4SntRV+Ry+M6P6KqfFSBGJCuSaYAG
YoMXZOoNsbNZnj4w4FGJnWJuMPcuIEUiaj/eFds+t8sby9NYdvVUnLwVjczkUVjL
hAD7hztp2Z7/STOfLrTHn0sA30B/xkba2ocuji0hW9W510pDSddRWVFdSJ/ihNKm
fnXhfBLSc8OOtFZHoYCVfRAWSsB9R0gvPW0hZ7mUYv0ilXc3Z2/MzniN56GHStrR
hBQ+xgzIZCOhwe3I6I5q0pDm9J8oA2UhNTILV3KSUaY0/DdrviEeQF9tNP8FrJdM
WiDaYzJHAUXcjeQFiIdvB1txAsv7Aii9pTO9KdTysf4puwqyvx0ABe93h4bK13Vk
1J+GM3DPj6CAxFA4N6hqkdWiDMfIbt3r4Q0RPbvhxeZ+e7broJ2WRFFBZQcX2mms
E8C8v+WW4k01fpDtXnoNKJokC44OZUQmwpG2s2X9256RV/kznhX+zTye0kApddBz
a1eVpnCFHukgZ2bIYMEYDtSa7vfyU/CRXJPnyNOY3COy15vMvYU=
=g/kC
-----END PGP SIGNATURE-----