Siemens has updates to mitigate a permissions, privileges, and access controls vulnerability in its SCALANCE X switches, RUGGEDCOM WiMAX, RFID 181-EIP, and SIMATIC RF182C, according to a report with NCCIC.

By sending a specially-crafted DHCP response to a client’s DHCP request, an unprivileged remote attacker could execute arbitrary code.

Update for Natus Xltek NeuroWorks Hole
Schneider Fills U.motion Builder Holes
Siemens Fixes SCALANCE X Switch Hole
Delta Mitigates TPEditor Hole

The vulnerability, discovered by Dr. Ang Cui and Joseph Pantoga from Red Balloon Security who reported it to Siemens Product CERT, affects the following products:
• RFID 181-EIP: All versions
• RUGGEDCOM WiMAX: v4.4 and v4.5
• SCALANCE X-200: All versions prior to v5.2.3
• SCALANCE X-200 IRT: All versions prior to v5.4.1
• SCALANCE X-204RNA: All versions
• SCALANCE X-300: All versions
• SCALANCE X408: All versions
• SCALANCE X414: All versions
• SIMATIC RF182C: All versions

In the vulnerability, unprivileged remote attackers located in the same local network segment (OSI Layer 2) could gain remote code execution on the affected products by sending a specially-crafted DHCP response to a client’s DHCP request.

Schneider Bold

CVE-2018-4833 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.

The products see use in the chemical, energy, food and agriculture, healthcare and public health, transportation systems, and water and wastewater systems sectors. They also see action on a global basis.

No known public exploits specifically target this vulnerability. High skill level is needed to exploit. The vulnerability is exploitable from the same local network segment (OSI Layer 2).

Siemens provided updates for the following products to fix the vulnerability:
• SCALANCE X-200: Update to v5.2.3
• SCALANCE X-200 IRT: Update to v5.4.1

Siemens identified the following specific workarounds and mitigations users can apply to reduce the risk:
• Use static IP addresses instead of DHCP
• Apply cell protection concept
• Apply Defense-in-Depth

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for Industrial Security.

Click here for additional information on Industrial Security by Siemens.

For more information on this vulnerability and associated software updates, see Siemens security advisory SSA-181018.

Pin It on Pinterest

Share This