1. EXECUTIVE SUMMARY
- CVSS v3 7.5
- ATTENTION: Exploitable from the same local network segment (OSI Layer 2)
- Vendor: Siemens
- Equipment: SCALANCE X switches, RUGGEDCOM WiMAX, RFID 181-EIP, and SIMATIC RF182C
- Vulnerability: Permissions, Privileges, and Access Controls
2. UPDATE INFORMATION
This updated advisory is a follow-up to the original advisory titled ICSA-18-165-01 Siemens SCALANCE X Switches, RUGGEDCOM WiMAX, RFID 181-EIP, and SIMATIC RF182C that was published June 14, 2018.
3. RISK EVALUATION
By sending a specially-crafted DHCP response to a client’s DHCP request, an unprivileged remote attacker could execute arbitrary code.
4. TECHNICAL DETAILS
4.1 AFFECTED PRODUCTS
Siemens reports the vulnerability affects the following products:
- RFID 181-EIP: All versions,
- RUGGEDCOM WiMAX: v4.4, v4.5, v5.0, and v5.1,
- SCALANCE X-200: All versions prior to v5.2.3,
- SCALANCE X-200 IRT: All versions prior to v5.4.1,
- SCALANCE X-204RNA: All versions,
- SCALANCE X-300: All versions,
- SCALANCE X408: All versions,
- SCALANCE X414: All versions, and
- SIMATIC RF182C: All versions.
4.2 VULNERABILITY OVERVIEW
4.2.1 PERMISSIONS, PRIVILEGES, AND ACCESS CONTROLS CWE-264
Unprivileged remote attackers located in the same local network segment (OSI Layer 2) could gain remote code execution on the affected products by sending a specially-crafted DHCP response to a client’s DHCP request.
CVE-2018-4833 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
- CRITICAL INFRASTRUCTURE SECTORS: Chemical, Energy, Food and Agriculture, Healthcare and Public Health, Transportation Systems, and Water and Wastewater Systems
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Germany
Siemens has provided updates for the following products to fix the vulnerability:
- RUGGEDCOM WiMAX: Update to V5.2
- SCALANCE X-200: Update to v5.2.3
- SCALANCE X-200 IRT: Update to v5.4.1
Siemens has identified the following specific workarounds and mitigations that customers can apply to reduce the risk:
- Use static IP addresses instead of DHCP
- Apply cell protection concept: https://www.siemens.com/cert/operational-guidelines-industrial-security
- Apply Defense-in-Depth: https://www.siemens.com/cert/operational-guidelines-industrial-security
As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security), and following the recommendations in the product manuals.
Additional information on Industrial Security by Siemens can be found at:
For more information on this vulnerability and associated software updates, please see Siemens security advisory SSA-181018 on their website: