Siemens SCALANCE X Switches, RUGGEDCOM WiMAX, RFID 181-EIP, and SIMATIC RF182C (Update A)

1. EXECUTIVE SUMMARY

  • CVSS v3 7.5
  • ATTENTION: Exploitable from the same local network segment (OSI Layer 2)
  • Vendor: Siemens
  • Equipment: SCALANCE X switches, RUGGEDCOM WiMAX, RFID 181-EIP, and SIMATIC RF182C
  • Vulnerability: Permissions, Privileges, and Access Controls

2. UPDATE INFORMATION

This updated advisory is a follow-up to the original advisory titled ICSA-18-165-01 Siemens SCALANCE X Switches, RUGGEDCOM WiMAX, RFID 181-EIP, and SIMATIC RF182C that was published June 14, 2018.

3. RISK EVALUATION

By sending a specially-crafted DHCP response to a client’s DHCP request, an unprivileged remote attacker could execute arbitrary code.

4. TECHNICAL DETAILS

4.1 AFFECTED PRODUCTS

Siemens reports the vulnerability affects the following products:

  • RFID 181-EIP: All versions,
——— Begin Update A Part 1 of 2 ——-
  • RUGGEDCOM WiMAX: v4.4, v4.5, v5.0, and v5.1,
——— End Update A Part 1 of 2 ———-
  • SCALANCE X-200: All versions prior to v5.2.3,
  • SCALANCE X-200 IRT: All versions prior to v5.4.1,
  • SCALANCE X-204RNA: All versions,
  • SCALANCE X-300: All versions,
  • SCALANCE X408: All versions,
  • SCALANCE X414: All versions, and
  • SIMATIC RF182C: All versions.

4.2 VULNERABILITY OVERVIEW

4.2.1    PERMISSIONS, PRIVILEGES, AND ACCESS CONTROLS CWE-264

Unprivileged remote attackers located in the same local network segment (OSI Layer 2) could gain remote code execution on the affected products by sending a specially-crafted DHCP response to a client’s DHCP request.

CVE-2018-4833 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

4.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Chemical, Energy, Food and Agriculture, Healthcare and Public Health, Transportation Systems, and Water and Wastewater Systems
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: Germany

5. MITIGATIONS

Siemens has provided updates for the following products to fix the vulnerability:

——— Begin Update A Part 2 of 2 ——–
  • RUGGEDCOM WiMAX: Update to V5.2

https://support.industry.siemens.com/cs/ww/en/view/109762466

——— End Update A Part 2 of 2 ———-
  • SCALANCE X-200: Update to v5.2.3

https://support.industry.siemens.com/cs/cn/en/view/109758142

  • SCALANCE X-200 IRT: Update to v5.4.1

https://support.industry.siemens.com/cs/de/en/view/109758144

Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk:

  • Use static IP addresses instead of DHCP
  • Apply cell protection concept: https://www.siemens.com/cert/operational-guidelines-industrial-security
  • Apply Defense-in-Depth: https://www.siemens.com/cert/operational-guidelines-industrial-security

As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and following the recommendations in the product manuals.

Additional information on Industrial Security by Siemens can be found at:

https://www.siemens.com/industrialsecurity

For more information on this vulnerability and associated software updates, please see Siemens security advisory SSA-181018 on their website:

https://www.siemens.com/cert/advisories

Leave a Reply

Your email address will not be published. Required fields are marked *