Siemens has updates available to mitigate a protection mechanism failure vulnerability in its SCALANCE X switches, according to a report with CISA.

Successful exploitation of this remotely exploitable vulnerability, which Siemens self-reported, could allow an attacker to perform administrative actions. The following versions of SCALANCE X Switches, used to connect industrial components, suffer from the issue:

  • SCALANCE X-200 switch family (including SIPLUS NET variants): All versions prior to Version 5.2.4
  • SCALANCE X-200IRT switch family (including SIPLUS NET variants): All versions
  • SCALANCE X-300 switch family (including X408 and SIPLUS NET variants): All versions prior to Version 4.1.3
  • In the vulnerability, the device does not send the X-Frame-Option header in the administrative web interface, which makes it vulnerable to click-jacking attacks.

    CVE-2019-13924 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.2.

    Schneider Bold

    The product sees use mainly in the critical manufacturing sector. It also sees action on a global basis.

    No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.

    Siemens released updates, which are recommended to be applied when possible:

  • SCALANCE X-200 switch family (including SIPLUS NET variants): Version 5.2.4
  • SCALANCE X-300 switch family (including X408 and SIRPLUS NET variants): Version 4.1.3
  • Siemens identified the following specific workarounds and mitigations users can apply to reduce the risk: Only access links from trusted sources in the browser you use to configure the SCALANCE X switches.

    As a general security measure, Siemens recommends users protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends users configure the environment according to Siemens’ operational guidelines for Industrial Security, and follow the recommendations in the product manuals.

    Click here for additional information on industrial security by Siemens.

    For more information see Siemens security advisory SSA-951513.

    Pin It on Pinterest

    Share This