New Siemens Switch Vulnerability Discovered by Nozomi Networks Labs

New Siemens Switch Vulnerability Discovered by Nozomi Networks Labs

This post was updated on March 3, 2020.

On August 13, 2019, the Siemens CERT Team, in collaboration with Nozomi Networks Labs, issued an Advisory concerning a vulnerability in Siemens SCALANCE switch devices.

The Siemens CERT Advisory (SSA-100232) describes this vulnerability, and indicates that its successful exploitation could allow a remote attacker to render the switch FX series unavailable (fault mode) by causing a reboot of the device. A second implication is an interruption of the communication management of the network controlled by the device itself.

Nozomi Networks Labs responsibly disclosed the security issue to Siemens CERT and CISA. This effort is part of ongoing research conducted by Nozomi Networks Labs to test common devices for vulnerabilities. For example, the Labs team recently presented its research on securing intelligent electronic devices (IEDs) using the IEC 62351-7 Standard for Monitoring at BlackHat 2019. While doing this analysis, we discovered a previously unknown device vulnerability.

The Siemens CERT Advisory highlights the challenge of safeguarding industrial systems that include long-lived, insecure legacy devices. It is one of three ICS-CERT advisories related to Siemens products reported by our team in the last year.

Read on to learn about this vulnerability and other legacy device risks that are all too common in industrial facilities.

Overview of the Switch Vulnerability Reported by Nozomi Networks Labs

The vulnerability covered by the Siemens CERT Advisory applies to Siemens SCALANCE XF series switches. Specifically, the products affected include:

  • All SCALANCE XF-208 switches at revisions <= v5.2.3

Siemens describes the role of these controllers as:

“Equipped for all ambient conditions – in our Industrial Ethernet switches portfolio, you are sure to find the right switch for your application: devices with copper or fiber-optic ports, for the control cabinet or for use in harsh environments, at data rates of up to 10 Gbps.

This gives you flexibility in designing the network topology: from redundant setup and minimization of downtimes, through integrated and reliable segmentation across all levels to barrier-free connection to cloud-based systems.

Siemens offers you all this from a single source: an integrated range of products and systems for automation in all areas – from incoming goods, through the production process to the dispatch of goods, from the machine and aggregation level, through the industrial backbone to connection to the enterprise network.”

According to ICS-CERT, these devices are used worldwide in infrastructure sectors such as:

  • Critical manufacturing
  • Food and agriculture
  • Transportation
  • Water/wastewater
  • Chemical
  • Energy
  • Healthcare and public health

Nozomi Networks Labs’ Vulnerability Analysis

At Black Hat USA 2019 in Las Vegas last week, Nozomi Networks presented a novel monitoring approach (using the Nozomi Networks Smart Polling solution) for securing power grid intelligent electronic devices (IEDs). During our latest research on the implementation of the IEC 62351-7 Standard for securing smart grid facilities, we decided to do more in-depth analysis on the current security posture of some of the devices used in our Black Hat demo scenarios.

During our analysis, we discovered the vulnerability related to the Siemens CERT Advisory published on August 13, 2019.

SSA-100232: Denial-of-Service Vulnerability in SCALANCE X Switches, August 13, 2019

The new vulnerability permits a remote threat actor to cause an uncontrolled resource consumption via the Telnet service used for managing and configuring the device itself. A remote attacker could cause a Denial of Service (DoS) triggered by sending crafted packets to the device, changing its state in fault mode and causing an instant reboot. As a consequence, all the devices in the same network would no longer be able to communicate, which would also disrupt the low-level process.

Siemens Plans to Issue Updates that Eradicate Device Vulnerabilities

Siemens has issued a Security Advisory for the SCALANCE FX-series switch vulnerability, including suggested workarounds and mitigations that customers can apply to reduce the risk. Additional patches are expected to be shared by Siemens soon.

Based on our experience with previous disclosures and collaborations with Siemens CERT, the vulnerability was handled in a timely and effective manner by the Siemens security team.

Widespread Use of Devices Has Safety and Business Impacts

The widespread use of SCALANCE switches throughout multiple industries around the world highlights the challenges of securing both IT and OT networks. Additionally, the extended lifespans of these devices in industrial facilities means that organizations may still be utilizing vulnerable assets within these sensitive environments. The security challenge is further complicated because critical control devices can’t be readily taken offline for patching.

To assess your organization’s level of cyber risk to such vulnerabilities, it’s important to have visibility into the susceptible devices in your facilities and use that information in your remediation plan. The ideal security program needs to consider cyber risks, safety and environmental concerns, as well as business impacts.

Recommended Solutions and Mitigations

Siemens has provided a set of recommendations, including standard mitigations, to protect impacted end users from the vulnerability. These mitigations are outlined in the Security Advisory and include:

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the Internet.
  • Locate control system networks and remote devices behind firewalls and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may also have vulnerabilities and should be updated to the most current versions available. Industrial operators need to be aware that VPNs are only as secure as the connected devices.

Nozomi Networks Unified Solution Automatically Identifies Affected Systems

Nozomi Networks customers using Threat Intelligence benefit from custom signatures that identify vulnerabilities as soon as they are discovered. Customers automatically receive alerts letting them know which assets are vulnerable, along with suggested steps for remediation.

Take Action Against Cyber Risk from Legacy Devices

While the challenge of securing legacy industrial devices is formidable, effective tools and helpful information is now available.

The use of threat intelligence to identify which devices have specific vulnerabilities and machine learning to automatically detect threats and vulnerabilities in industrial systems is becoming more imperative given the quickly changing security climate.

Armed with this information, you can prioritize the actions needed to improve the cyber security posture of your industrial operations.