Detections
Analytics

Siemens SCALANCE X Expected Behavior Violation (CVE-2019-6569)

critical Tenable OT Security Plugin ID 501032

Synopsis

The remote OT asset is affected by a vulnerability.

Description

The monitor barrier of the affected products insufficiently blocks data from being forwarded over the mirror port into the mirrored network. An attacker could use this behavior to transmit malicious packets to systems in the mirrored network, possibly influencing their configuration and runtime behavior.

Matching for this plugin is performed on model name, as they are listed in the Siemens advisory. For the exact MLFBs matching, please refer to the Siemens ssa-557804.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at CISA.gov.

Siemens has provided the following specific updates that users can implement to mitigate this vulnerability:

Users of the following products Update to v5.2.6 or later

- SCALANCE X204-2 (6GK5204-2BB10-2AA3)
- SCALANCE X204-2FM (6GK5204-2BB11- 2AA3)
- SCALANCE X204-2LD (6GK5204-2BC10- 2AA3)
- SCALANCE X204-2LD TS (6GK5204-2BC10- 2CA2)
- SCALANCE X204-2TS (6GK5204-2BB10- 2CA2)
- SCALANCE X206-1 (6GK5206-1BB10-2AA3)
- SCALANCE X206-1LD (6GK5206-1BC10- 2AA3)
- SCALANCE X208 (6GK5208-0BA10-2AA3)
- SCALANCE X208PRO (6GK5208-0HA10- 2AA6)
- SCALANCE X212-2 (6GK5212-2BB00-2AA3)
- SCALANCE X212-2LD (6GK5212-2BC00- 2AA3)
- SCALANCE X216 (6GK5216-0BA00-2AA3)
- SCALANCE X224 (6GK5224-0BA00-2AA3)

Users of the following products Update to v4.1.3 or later

- SCALANCE X302-7 EEC (2x 24V) (6GK5302-7GD00-2EA3)
- SCALANCE X302-7 EEC (2x 24V, coated) (6GK5302-7GD00-2GA3)
- SCALANCE X302-7 EEC (2x 230V) (6GK5302-7GD00-4EA3)
- SCALANCE X302-7 EEC (2x 230V, coated) (6GK5302-7GD00-4GA3)
- SCALANCE X302-7 EEC (24V) (6GK5302-7GD00-1EA3)
- SCALANCE X302-7 EEC (24V, coated) (6GK5302-7GD00-1GA3)
- SCALANCE X302-7 EEC (230V) (6GK5302-7GD00-3EA3)
- SCALANCE X302-7 EEC (230V, coated) (6GK5302-7GD00-3GA3)
- SCALANCE X304-2FE (6GK5304-2BD00-2AA3)
- SCALANCE X306-1LD FE (6GK5306-1BF00-2AA3)
- SCALANCE X307-2 EEC (2x 24V) (6GK5307-2FD00-2EA3)
- SCALANCE X307-2 EEC (2x 24V, coated) (6GK5307-2FD00-2GA3)
- SCALANCE X307-2 EEC (2x 230V) (6GK5307-2FD00-4EA3)
- SCALANCE X307-2 EEC (2x 230V, coated) (6GK5307-2FD00-4GA3)
- SCALANCE X307-2 EEC (24V) (6GK5307-2FD00-1EA3)
- SCALANCE X307-2 EEC (24V, coated) (6GK5307-2FD00-1GA3)
- SCALANCE X307-2 EEC (230V) (6GK5307-2FD00-3EA3)
- SCALANCE X307-2 EEC (230V, coated) (6GK5307-2FD00-3GA3)
- SCALANCE X307-3 (6GK5307-3BL00-2AA3)
- SCALANCE X307-3 (6GK5307-3BL10-2AA3)
- SCALANCE X307-3LD (6GK5307-3BM00-2AA3)
- SCALANCE X307-3LD (6GK5307-3BM10-2AA3)
- SCALANCE X308-2 (6GK5308-2FL00-2AA3)
- SCALANCE X308-2 (6GK5308-2FL10-2AA3)
- SCALANCE X308-2LD (6GK5308-2FM00-2AA3)
- SCALANCE X308-2LD (6GK5308-2FM10-2AA3)
- SCALANCE X308-2LH (6GK5308-2FN00-2AA3)
- SCALANCE X308-2LH (6GK5308-2FN10-2AA3)
- SCALANCE X308-2LH+ (6GK5308-2FP00-2AA3)
- SCALANCE X308-2LH+ (6GK5308-2FP10-2AA3)
- SCALANCE X308-2M (6GK5308-2GG00-2AA2)
- SCALANCE X308-2M (6GK5308-2GG10-2AA2)
- SCALANCE X308-2M PoE (6GK5308-2QG00-2AA2)
- SCALANCE X308-2M PoE (6GK5308-2QG10-2AA2)
- SCALANCE X308-2M TS (6GK5308-2GG00-2CA2)
- SCALANCE X308-2M TS (6GK5308-2GG10-2CA2)
- SCALANCE X310 (6GK5310-0FA00-2AA3)
- SCALANCE X310 (6GK5310-0FA10-2AA3)
- SCALANCE X310FE (6GK5310-0BA00-2AA3)
- SCALANCE X310FE (6GK5310-0BA10-2AA3)
- SCALANCE X320-1 FE (6GK5320-1BD00-2AA3)
- SCALANCE X320-1-2LD FE (6GK5320-3BF00-2AA3)
- SCALANCE X408-2 (6GK5408-2FD00-2AA2)
- SCALANCE XR324-4M EEC (2x 24V, ports on front) (6GK5324-4GG00-2ER2)
- SCALANCE XR324-4M EEC (2x 24V, ports on front) (6GK5324-4GG10-2ER2)
- SCALANCE XR324-4M EEC (2x 24V, ports on rear) (6GK5324-4GG00-2JR2)
- SCALANCE XR324-4M EEC (2x 24V, ports on rear) (6GK5324-4GG10-2JR2)
- SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on front)(6GK5324-4GG00-4ER2)
- SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on front)(6GK5324-4GG10-4ER2)
- SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on rear)(6GK5324-4GG00-4JR2)
- SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on rear)(6GK5324-4GG10-4JR2)
- SCALANCE XR324-4M EEC (24V, ports on front) (6GK5324-4GG00-1ER2)
- SCALANCE XR324-4M EEC (24V, ports on front) (6GK5324-4GG10-1ER2)
- SCALANCE XR324-4M EEC (24V, ports on rear) (6GK5324-4GG00-1JR2)
- SCALANCE XR324-4M EEC (24V, ports on rear) (6GK5324-4GG10-1JR2)
- SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on front)(6GK5324-4GG00-3ER2)
- SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on front)(6GK5324-4GG10-3ER2)
- SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on rear) (6GK5324-4GG00-3JR2)
- SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on rear) (6GK5324-4GG10-3JR2)
- SCALANCE XR324-4M PoE (24V, ports on front) (6GK5 324-4QG10-1AR2)
- SCALANCE XR324-4M PoE (24V, ports on front) (6GK5324-4QG00-1AR2)
- SCALANCE XR324-4M PoE (24V, ports on rear) (6GK5 324-4QG10-1HR2)
- SCALANCE XR324-4M PoE (24V, ports on rear) (6GK5324-4QG00-1HR2)
- SCALANCE XR324-4M PoE (230V, ports on front) (6GK5 324-4QG10-3AR2)
- SCALANCE XR324-4M PoE (230V, ports on front) (6GK5324-4QG00-3AR2)
- SCALANCE XR324-4M PoE (230V, ports on rear) (6GK5 324-4QG10-3HR2)
- SCALANCE XR324-4M PoE (230V, ports on rear) (6GK5324-4QG00-3HR2)
- SCALANCE XR324-4M PoE TS (24V, ports on front) (6GK5 324-4QG10-1CR2)
- SCALANCE XR324-4M PoE TS (24V, ports on front) (6GK5324-4QG00-1CR2)
- SCALANCE XR324-12M (24V, ports on front) (6GK5324-0GG00-1AR2)
- SCALANCE XR324-12M (24V, ports on front) (6GK5324-0GG10-1AR2)
- SCALANCE XR324-12M (24V, ports on rear) (6GK5324-0GG00-1HR2)
- SCALANCE XR324-12M (24V, ports on rear) (6GK5324-0GG10-1HR2)
- SCALANCE XR324-12M (230V, ports on front) (6GK5324-0GG00-3AR2)
- SCALANCE XR324-12M (230V, ports on front) (6GK5324-0GG10-3AR2)
- SCALANCE XR324-12M (230V, ports on rear) (6GK5324-0GG00-3HR2)
- SCALANCE XR324-12M (230V, ports on rear) (6GK5324-0GG10-3HR2)
- SCALANCE XR324-12M TS (24V) (6GK5324-0GG00-1CR2)
- SCALANCE XR324-12M TS (24V) (6GK5324-0GG10-1CR2)
- SIPLUS NET SCALANCE X308-2 (6AG1308-2FL10-4AA3)

Users of the following products update to v4.1 or later

- SCALANCE XB205-3 (SC) (6GK5205-3BD00-2AB2)
- SCALANCE XB205-3 (SC) (6GK5205-3BD00-2TB2)
- SCALANCE XB205-3 (ST/BFOC) (6GK5205-3BB00-2AB2)
- SCALANCE XB205-3 (ST/BFOC) (6GK5205-3BB00-2TB2)
- SCALANCE XB205-3LD (6GK5205-3BF00-2AB2)
- SCALANCE XB205-3LD (6GK5205-3BF00-2TB2)
- SCALANCE XB208 (6GK5208-0BA00-2AB2)
- SCALANCE XB208 (6GK5208-0BA00-2TB2)
- SCALANCE XB213-3 (SC) (6GK5213-3BD00-2AB2)
- SCALANCE XB213-3 (SC) (6GK5213-3BD00-2TB2)
- SCALANCE XB213-3 (ST/BFOC) (6GK5213-3BB00-2AB2)
- SCALANCE XB213-3 (ST/BFOC) (6GK5213-3BB00-2TB2)
- SCALANCE XB213-3LD (6GK5213-3BF00-2AB2)
- SCALANCE XB213-3LD (6GK5213-3BF00-2TB2)
- SCALANCE XB216 (6GK5216-0BA00-2AB2)
- SCALANCE XB216 (6GK5216-0BA00-2TB2)
- SCALANCE XC206-2 (SC) (6GK5206-2BD00-2AC2)
- SCALANCE XC206-2 (ST/BFOC) (6GK5206-2BB00-2AC2)
- SCALANCE XC206-2SFP (6GK5206-2BS00-2AC2)
- SCALANCE XC206-2SFP EEC (6GK5206-2BS00-2FC2)
- SCALANCE XC206-2SFP G (6GK5206-2GS00-2AC2)
- SCALANCE XC206-2SFP G (6GK5206-2GS00-2TC2)
- SCALANCE XC206-2SFP G EEC (6GK5206-2GS00-2FC2)
- SCALANCE XC208 (6GK5208-0BA00-2AC2)
- SCALANCE XC208EEC (6GK5208-0BA00-2FC2)
- SCALANCE XC208G (6GK5208-0GA00-2AC2)
- SCALANCE XC208G (6GK5208-0GA00-2TC2)
- SCALANCE XC208G EEC (6GK5208-0GA00-2FC2)
- SCALANCE XC216 (6GK5216-0BA00-2AC2)
- SCALANCE XC216-4C (6GK5216-4BS00-2AC2)
- SCALANCE XC216-4C G (6GK5216-4GS00-2AC2)
- SCALANCE XC216-4C G (EIP Def.) (6GK5216-4GS00-2TC2)
- SCALANCE XC216-4C G EEC (6GK5216-4GS00-2FC2)
- SCALANCE XC216EEC (6GK5216-0BA00-2FC2)
- SCALANCE XC224 (6GK5224-0BA00-2AC2)
- SCALANCE XC224-4C G (6GK5224-4GS00-2AC2)
- SCALANCE XC224-4C G (EIP Def.) (6GK5224-4GS00-2TC2)
- SCALANCE XC224-4C G EEC (6GK5224-4GS00-2FC2)
- SCALANCE XF204 (6GK5204-0BA00-2GF2)
- SCALANCE XF204 DNA (6GK5204-0BA00-2YF2)
- SCALANCE XF204-2BA (6GK5204-2AA00-2GF2)
- SCALANCE XF204-2BA DNA (6GK5204-2AA00-2YF2)
- SCALANCE XP208 (6GK5208-0HA00-2AS6)
- SCALANCE XP208 (6GK5208-0HA00-2TS6)
- SCALANCE XP208EEC (6GK5208-0HA00-2ES6)
- SCALANCE XP208PoE EEC (6GK5208-0UA00-5ES6)
- SCALANCE XP216 (6GK5216-0HA00-2AS6)
- SCALANCE XP216 (6GK5216-0HA00-2TS6)
- SCALANCE XP216EEC (6GK5216-0HA00-2ES6)
- SCALANCE XP216POE EEC (6GK5216-0UA00-5ES6)
- SCALANCE XR324WG (24 x FE, AC 230V) (6GK5324-0BA00-3AR3)
- SCALANCE XR324WG (24 X FE, DC 24V) (6GK5324-0BA00-2AR3)
- SCALANCE XR328-4C WG (24xFE,4xGE,AC230V) (6GK5328-4FS00-3AR3)
- SCALANCE XR328-4C WG (24xFE,4xGE,AC230V) (6GK5328-4FS00-3RR3)
- SCALANCE XR328-4C WG (24XFE, 4XGE, 24V) (6GK5328-4FS00-2AR3)
- SCALANCE XR328-4C WG (24xFE, 4xGE,DC24V) (6GK5328-4FS00-2RR3)
- SCALANCE XR328-4C WG (28xGE, AC 230V) (6GK5328-4SS00-3AR3)
- SCALANCE XR328-4C WG (28xGE, DC 24V) (6GK5328-4SS00-2AR3)
- SIPLUS NET SCALANCE XC206-2 (6AG1206-2BB00-7AC2)
- SIPLUS NET SCALANCE XC206-2SFP (6AG1206-2BS00-7AC2)
- SIPLUS NET SCALANCE XC208 (6AG1208-0BA00-7AC2)
- SIPLUS NET SCALANCE XC216-4C (6AG1216-4BS00-7AC2)

Siemens has identified the following specific workarounds/mitigation users can implement to reduce the risk:

- Make sure that no devices that transmit data back into the mirroring network are operated within the mirrored network.

As a general security measure, Siemens strongly recommends users protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends users configure the environment according to Siemens’ operational guidelines for Industrial Security, and follow the recommendations in the product manuals.

Additional information on industrial security by Siemens is available at: https://www.siemens.com/industrialsecurity

For further inquiries on security vulnerabilities in Siemens products and solutions, please contact Siemens.

For more information on this vulnerability and more detailed mitigation instructions, please see Siemens Security Advisory SSA-557804

See Also

https://cert-portal.siemens.com/productcert/pdf/ssa-557804.pdf

https://www.cisa.gov/news-events/ics-advisories/icsa-19-085-01

Plugin Details

Severity: Critical

ID: 501032

Version: 1.4

Type: remote

Family: Tenable.ot

Published: 4/11/2023

Updated: 3/4/2024

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Medium

Score: 5.2

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 4.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P

CVSS Score Source: CVE-2019-6569

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:siemens:scalance_x-200_series_firmware, cpe:/o:siemens:scalance_x-300_series_firmware, cpe:/o:siemens:scalance_xc-200_series_firmware, cpe:/o:siemens:scalance_xf-200_series_firmware, cpe:/o:siemens:scalance_xp-200_series_firmware

Required KB Items: Tenable.ot/Siemens

Exploit Ease: No known exploits are available

Patch Publication Date: 3/26/2019

Vulnerability Publication Date: 3/26/2019

Reference Information

CVE: CVE-2019-6569

CWE: 440