-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 # SSA-187092: Several Buffer-Overflow Vulnerabilities in Web Server of SCALANCE X-200 Publication Date: 2021-04-13 Last Update: 2021-09-14 Current Version: 1.1 CVSS v3.1 Base Score: 9.8 SUMMARY ======= Several SCALANCE X-200 switches contain buffer overflow vulnerabilities in the web server. In the most severe case an attacker could potentially remotely execute code. Siemens is preparing updates and recommends specific countermeasures for products where updates are not, or not yet available. AFFECTED PRODUCTS AND SOLUTION ============================== * SCALANCE X200-4P IRT - Affected versions: All versions < 5.5.1 - Remediation: Update to V5.5.1 or later version - Download: https://support.industry.siemens.com/cs/us/en/view/109793952/ * SCALANCE X201-3P IRT - Affected versions: All versions < 5.5.1 - Remediation: Update to V5.5.1 or later version - Download: https://support.industry.siemens.com/cs/us/en/view/109793952/ * SCALANCE X201-3P IRT PRO - Affected versions: All versions < 5.5.1 - Remediation: Update to V5.5.1 or later version - Download: https://support.industry.siemens.com/cs/us/en/view/109793952/ * SCALANCE X202-2 IRT - Affected versions: All versions < 5.5.1 - Remediation: Update to V5.5.1 or later version - Download: https://support.industry.siemens.com/cs/us/en/view/109793952/ * SCALANCE X202-2P IRT (incl. SIPLUS NET variant) - Affected versions: All versions < 5.5.1 - Remediation: Update to V5.5.1 or later version - Download: https://support.industry.siemens.com/cs/us/en/view/109793952/ * SCALANCE X202-2P IRT PRO - Affected versions: All versions < 5.5.1 - Remediation: Update to V5.5.1 or later version - Download: https://support.industry.siemens.com/cs/us/en/view/109793952/ * SCALANCE X204 IRT - Affected versions: All versions < 5.5.1 - Remediation: Update to V5.5.1 or later version - Download: https://support.industry.siemens.com/cs/us/en/view/109793952/ * SCALANCE X204 IRT PRO - Affected versions: All versions < 5.5.1 - Remediation: Update to V5.5.1 or later version - Download: https://support.industry.siemens.com/cs/us/en/view/109793952/ * SCALANCE X204-2 (incl. SIPLUS NET variant) - Affected versions: All versions < V5.2.5 - Remediation: Update to V5.2.5 or later version - Download: https://support.industry.siemens.com/cs/ww/en/view/109801131/ * SCALANCE X204-2FM - Affected versions: All versions < V5.2.5 - Remediation: Update to V5.2.5 or later version - Download: https://support.industry.siemens.com/cs/ww/en/view/109801131/ * SCALANCE X204-2LD (incl. SIPLUS NET variant) - Affected versions: All versions < V5.2.5 - Remediation: Update to V5.2.5 or later version - Download: https://support.industry.siemens.com/cs/ww/en/view/109801131/ * SCALANCE X204-2LD TS - Affected versions: All versions < V5.2.5 - Remediation: Update to V5.2.5 or later version - Download: https://support.industry.siemens.com/cs/ww/en/view/109801131/ * SCALANCE X204-2TS - Affected versions: All versions < V5.2.5 - Remediation: Update to V5.2.5 or later version - Download: https://support.industry.siemens.com/cs/ww/en/view/109801131/ * SCALANCE X206-1 - Affected versions: All versions < V5.2.5 - Remediation: Update to V5.2.5 or later version - Download: https://support.industry.siemens.com/cs/ww/en/view/109801131/ * SCALANCE X206-1LD - Affected versions: All versions < V5.2.5 - Remediation: Update to V5.2.5 or later version - Download: https://support.industry.siemens.com/cs/ww/en/view/109801131/ * SCALANCE X208 (incl. SIPLUS NET variant) - Affected versions: All versions < V5.2.5 - Remediation: Update to V5.2.5 or later version - Download: https://support.industry.siemens.com/cs/ww/en/view/109801131/ * SCALANCE X208PRO - Affected versions: All versions < V5.2.5 - Remediation: Update to V5.2.5 or later version - Download: https://support.industry.siemens.com/cs/ww/en/view/109801131/ * SCALANCE X212-2 (incl. SIPLUS NET variant) - Affected versions: All versions < V5.2.5 - Remediation: Update to V5.2.5 or later version - Download: https://support.industry.siemens.com/cs/ww/en/view/109801131/ * SCALANCE X212-2LD - Affected versions: All versions < V5.2.5 - Remediation: Update to V5.2.5 or later version - Download: https://support.industry.siemens.com/cs/ww/en/view/109801131/ * SCALANCE X216 - Affected versions: All versions < V5.2.5 - Remediation: Update to V5.2.5 or later version - Download: https://support.industry.siemens.com/cs/ww/en/view/109801131/ * SCALANCE X224 - Affected versions: All versions < V5.2.5 - Remediation: Update to V5.2.5 or later version - Download: https://support.industry.siemens.com/cs/ww/en/view/109801131/ * SCALANCE XF201-3P IRT - Affected versions: All versions < 5.5.1 - Remediation: Update to V5.5.1 or later version - Download: https://support.industry.siemens.com/cs/us/en/view/109793952/ * SCALANCE XF202-2P IRT - Affected versions: All versions < 5.5.1 - Remediation: Update to V5.5.1 or later version - Download: https://support.industry.siemens.com/cs/us/en/view/109793952/ * SCALANCE XF204 - Affected versions: All versions < V5.2.5 - Remediation: Update to V5.2.5 or later version - Download: https://support.industry.siemens.com/cs/ww/en/view/109801131/ * SCALANCE XF204 IRT - Affected versions: All versions < 5.5.1 - Remediation: Update to V5.5.1 or later version - Download: https://support.industry.siemens.com/cs/us/en/view/109793952/ * SCALANCE XF204-2 (incl. SIPLUS NET variant) - Affected versions: All versions < V5.2.5 - Remediation: Update to V5.2.5 or later version - Download: https://support.industry.siemens.com/cs/ww/en/view/109801131/ * SCALANCE XF204-2BA IRT - Affected versions: All versions < 5.5.1 - Remediation: Update to V5.5.1 or later version - Download: https://support.industry.siemens.com/cs/us/en/view/109793952/ * SCALANCE XF206-1 - Affected versions: All versions < V5.2.5 - Remediation: Update to V5.2.5 or later version - Download: https://support.industry.siemens.com/cs/ww/en/view/109801131/ * SCALANCE XF208 - Affected versions: All versions < V5.2.5 - Remediation: Update to V5.2.5 or later version - Download: https://support.industry.siemens.com/cs/ww/en/view/109801131/ WORKAROUNDS AND MITIGATIONS =========================== Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk: * Limit network traffic of web servers of SCALANCE X switches to trusted connections by firewall rules (port 443/tcp and 80/tcp). GENERAL SECURITY RECOMMENDATIONS ================================ As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the product manuals. Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity PRODUCT DESCRIPTION =================== SCALANCE X switches are used to connect industrial components like Programmable Logic Controllers (PLCs) or Human Machine Interfaces (HMIs). SIPLUS extreme products are designed for reliable operation under extreme conditions and are based on SIMATIC, LOGO!, SITOP, SINAMICS, SIMOTION, SCALANCE or other devices. SIPLUS devices use the same firmware as the product they are based on. VULNERABILITY CLASSIFICATION ============================ The vulnerability classification has been performed by using the CVSS scoring system in version 3.1 (CVSS v3.1) (https://www.first.org/cvss/). The CVSS environmental score is specific to the customer's environment and will impact the overall CVSS score. The environmental score should therefore be individually defined by the customer to accomplish final scoring. An additional classification has been performed using the CWE classification, a community-developed list of common software security weaknesses. This serves as a common language and as a baseline for weakness identification, mitigation, and prevention efforts. A detailed list of CWE classes can be found at: https://cwe.mitre.org/. * Vulnerability CVE-2021-25668 Incorrect processing of POST requests in the webserver may result in write out of bounds in heap. An attacker might leverage this to cause denial-of-service on the device and potentially remotely execute code. CVSS v3.1 Base Score: 9.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C CWE: CWE-122: Heap-based Buffer Overflow * Vulnerability CVE-2021-25669 Incorrect processing of POST requests in the web server may write out of bounds in stack. An attacker might leverage this to denial-of-service of the device or remote code execution. CVSS v3.1 Base Score: 9.8 CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C CWE: CWE-121: Stack-based Buffer Overflow ADDITIONAL INFORMATION ====================== For further inquiries on security vulnerabilities in Siemens products and solutions, please contact the Siemens ProductCERT: https://www.siemens.com/cert/advisories HISTORY DATA ============ V1.0 (2021-04-13): Publication Date V1.1 (2021-09-14): Added solution for SCALANCE X-200 switch family TERMS OF USE ============ Siemens Security Advisories are subject to the terms and conditions contained in Siemens' underlying license terms or other applicable agreements previously agreed to with Siemens (hereinafter "License Terms"). To the extent applicable to information, software or documentation made available in or through a Siemens Security Advisory, the Terms of Use of Siemens' Global Website (https://www.siemens.com/terms_of_use, hereinafter "Terms of Use"), in particular Sections 8-10 of the Terms of Use, shall apply additionally. In case of conflicts, the License Terms shall prevail over the Terms of Use. -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEElTRCLAVwzKf/b8X80/SB6hFKr+QFAmE/5gAACgkQ0/SB6hFK r+SuYhAAhPvTTgctYK0Y4EEpJmqjQYtaBQijIhKdfaC91iqFrnCnm1ib5+8yRL22 cacPua7htQlLkSJfdNnLb5ck6pCgM80f4QU6VgSZDHH1p3ULmiRfHfpQpOVnyw14 Q5w8ICK/3w2qepCvfA3mvUfjzWXTBzhxTbBbwWlWryA1sqSug+6QCd1z6zVXk/px WJMSguOhSQ3oJnvtsWxl70sxxBU6W2ZuwKpdbiFEQWqcA8W5UALxjE41SQrOKRCX QLCwq40VvJNUMZ23cpiMofJ3SQm2lbhnMev7pBpUTwSvHQQwNPyNc+Di4w47Q4xA WASQ1FwbF7mILem0eTRQ0Hm+0D3sic7VOYr5FepfmTdujXRu4E27qKfM/WizjKCX R38Z7eMbYbC4QWnMyDFGnOKMSJPjOaJ3p2maSjnP64RfYwFB7iNhFvZ62IVWyw/l neB36nRd+7WXE+86Y6aD1ghmrTSXYQ/NMxJekiwD3MUuhz4ds2ttCYwpttNYhK15 eNJzyOibXd1TAtsUUUKrJnP401+2svGBVYm/JxZTQrfGUPBQJqhGtmkFXHzvtIqE J1jA5Kaaz99xnlA5WzhyU7dqANlyqze0eCaFOhjFIQbYmnxUo/6EhdNldRz5qQU9 kFfZPkjrOscKZQMPoHSSZeKAyPSilxeLSbQm22+UGJP5iCz2bFI= =W5Eg -----END PGP SIGNATURE-----