Siemens has updates available to mitigate a protection mechanism failure vulnerability in its SCALANCE X switches, according to a report with CISA.
Successful exploitation of this remotely exploitable vulnerability, which Siemens self-reported, could allow an attacker to perform administrative actions. The following versions of SCALANCE X Switches, used to connect industrial components, suffer from the issue:
In the vulnerability, the device does not send the X-Frame-Option header in the administrative web interface, which makes it vulnerable to click-jacking attacks.
CVE-2019-13924 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.2.
The product sees use mainly in the critical manufacturing sector. It also sees action on a global basis.
No known public exploits specifically target this vulnerability. However, an attacker with low skill level could leverage the vulnerability.
Siemens released updates, which are recommended to be applied when possible:
Siemens identified the following specific workarounds and mitigations users can apply to reduce the risk: Only access links from trusted sources in the browser you use to configure the SCALANCE X switches.
As a general security measure, Siemens recommends users protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends users configure the environment according to Siemens’ operational guidelines for Industrial Security, and follow the recommendations in the product manuals.
Click here for additional information on industrial security by Siemens.
For more information see Siemens security advisory SSA-951513.