Siemens SCALANCE and SIMATIC (CVE-2019-19301)

high Tenable OT Security Plugin ID 501048

Synopsis

The remote OT asset is affected by a vulnerability.

Description

A vulnerability has been identified in SCALANCE X200-4P IRT, SCALANCE X201-3P IRT, SCALANCE X201-3P IRT PRO, SCALANCE X202-2IRT, SCALANCE X202-2P IRT, SCALANCE X202-2P IRT PRO, SCALANCE X204-2, SCALANCE X204-2FM, SCALANCE X204-2LD, SCALANCE X204-2LD TS, SCALANCE X204-2TS, SCALANCE X204IRT, SCALANCE X204IRT PRO, SCALANCE X206-1, SCALANCE X206-1LD, SCALANCE X208, SCALANCE X208PRO, SCALANCE X212-2, SCALANCE X212-2LD, SCALANCE X216, SCALANCE X224, SCALANCE X302-7 EEC (230V, coated), SCALANCE X302-7 EEC (230V), SCALANCE X302-7 EEC (24V, coated), SCALANCE X302-7 EEC (24V), SCALANCE X302-7 EEC (2x 230V, coated), SCALANCE X302-7 EEC (2x 230V), SCALANCE X302-7 EEC (2x 24V, coated), SCALANCE X302-7 EEC (2x 24V), SCALANCE X304-2FE, SCALANCE X306-1LD FE, SCALANCE X307-2 EEC (230V, coated), SCALANCE X307-2 EEC (230V), SCALANCE X307-2 EEC (24V, coated), SCALANCE X307-2 EEC (24V), SCALANCE X307-2 EEC (2x 230V, coated), SCALANCE X307-2 EEC (2x 230V), SCALANCE X307-2 EEC (2x 24V, coated), SCALANCE X307-2 EEC (2x 24V), SCALANCE X307-3, SCALANCE X307-3, SCALANCE X307-3LD, SCALANCE X307-3LD, SCALANCE X308-2, SCALANCE X308-2, SCALANCE X308-2LD, SCALANCE X308-2LD, SCALANCE X308-2LH, SCALANCE X308-2LH, SCALANCE X308-2LH+, SCALANCE X308-2LH+, SCALANCE X308-2M, SCALANCE X308-2M, SCALANCE X308-2M PoE, SCALANCE X308-2M PoE, SCALANCE X308-2M TS, SCALANCE X308-2M TS, SCALANCE X310, SCALANCE X310, SCALANCE X310FE, SCALANCE X310FE, SCALANCE X320-1 FE, SCALANCE X320-1-2LD FE, SCALANCE X408-2, SCALANCE XF201-3P IRT, SCALANCE XF202-2P IRT, SCALANCE XF204, SCALANCE XF204-2, SCALANCE XF204-2BA IRT, SCALANCE XF204IRT, SCALANCE XF206-1, SCALANCE XF208, SCALANCE XR324-12M (230V, ports on front), SCALANCE XR324-12M (230V, ports on front), SCALANCE XR324-12M (230V, ports on rear), SCALANCE XR324-12M (230V, ports on rear), SCALANCE XR324-12M (24V, ports on front), SCALANCE XR324-12M (24V, ports on front), SCALANCE XR324-12M (24V, ports on rear), SCALANCE XR324-12M (24V, ports on rear), SCALANCE XR324-12M TS (24V), SCALANCE XR324-12M TS (24V), SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on front), SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on front), SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on rear), SCALANCE XR324-4M EEC (100-240VAC/60-250VDC, ports on rear), SCALANCE XR324-4M EEC (24V, ports on front), SCALANCE XR324-4M EEC (24V, ports on front), SCALANCE XR324-4M EEC (24V, ports on rear), SCALANCE XR324-4M EEC (24V, ports on rear), SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on front), SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on front), SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on rear), SCALANCE XR324-4M EEC (2x 100-240VAC/60-250VDC, ports on rear), SCALANCE XR324-4M EEC (2x 24V, ports on front), SCALANCE XR324-4M EEC (2x 24V, ports on front), SCALANCE XR324-4M EEC (2x 24V, ports on rear), SCALANCE XR324-4M EEC (2x 24V, ports on rear), SCALANCE XR324-4M PoE (230V, ports on front), SCALANCE XR324-4M PoE (230V, ports on rear), SCALANCE XR324-4M PoE (24V, ports on front), SCALANCE XR324-4M PoE (24V, ports on rear), SCALANCE XR324-4M PoE TS (24V, ports on front), SIMATIC CP 343-1 Advanced, SIMATIC CP 442-1 RNA, SIMATIC CP 443-1, SIMATIC CP 443-1, SIMATIC CP 443-1 Advanced, SIMATIC CP 443-1 RNA, SIMATIC RF180C, SIMATIC RF182C, SIPLUS NET CP 343-1 Advanced, SIPLUS NET CP 443-1, SIPLUS NET CP 443-1 Advanced, SIPLUS NET SCALANCE X308-2. The VxWorks- based Profinet TCP Stack can be forced to make very expensive calls for every incoming packet which can lead to a denial of service.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at CISA.gov.

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk:

- SCALANCE X-200IRT and XF200 switch families: Update to v5.5.0 or later version
- SCALANCE X-200 and XF200 switch families: Update to v5.2.5 or later version
- SCALANCE X300 and XR300 switch families: Update to v4.1.4 or later version
- For SIMATIC RF180C and RF182C: migrate to a successor product within the SIMATIC RF18xC/CI family v1.3 or later version. For details refer to the phase-out announcement.
- For SIMATIC CP 443-1 RNA: Update to v1.5.18 or later version
- For SIMATIC CP 442-1 RNA: Update to v1.5.18 or later version

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for industrial security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens industrial security webpage.

For further inquiries on security vulnerabilities in Siemens products and solutions, please contact Siemens.

For more information on this vulnerability and the available mitigations, please see Siemens security advisory SSA-102233

See Also

https://cert-portal.siemens.com/productcert/pdf/ssa-102233.pdf

https://www.cisa.gov/news-events/ics-advisories/icsa-20-105-07

Plugin Details

Severity: High

ID: 501048

Version: 1.4

Type: remote

Family: Tenable.ot

Published: 4/11/2023

Updated: 11/6/2023

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2019-19301

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:siemens:scalance_x200-4p_irt_firmware, cpe:/o:siemens:scalance_x201-3p_irt_firmware, cpe:/o:siemens:scalance_x201-3p_irt_pro_firmware, cpe:/o:siemens:scalance_x202-2irt_firmware, cpe:/o:siemens:scalance_x202-2p_irt_firmware, cpe:/o:siemens:scalance_x202-2p_irt_pro_firmware, cpe:/o:siemens:scalance_x204-2_firmware, cpe:/o:siemens:scalance_x204-2fm_firmware, cpe:/o:siemens:scalance_x204-2ld_firmware, cpe:/o:siemens:scalance_x204-2ld_ts_firmware, cpe:/o:siemens:scalance_x204-2ts_firmware, cpe:/o:siemens:scalance_x204irt_firmware, cpe:/o:siemens:scalance_x204irt_pro_firmware, cpe:/o:siemens:scalance_x206-1_firmware, cpe:/o:siemens:scalance_x206-1ld_firmware, cpe:/o:siemens:scalance_x208_firmware, cpe:/o:siemens:scalance_x208pro_firmware, cpe:/o:siemens:scalance_x212-2_firmware, cpe:/o:siemens:scalance_x212-2ld_firmware, cpe:/o:siemens:scalance_x216_firmware, cpe:/o:siemens:scalance_x224_firmware, cpe:/o:siemens:scalance_x302-7_eec_firmware, cpe:/o:siemens:scalance_x304-2fe_firmware, cpe:/o:siemens:scalance_x306-1ld_fe_firmware, cpe:/o:siemens:scalance_x307-2_eec_firmware, cpe:/o:siemens:scalance_x307-3_firmware, cpe:/o:siemens:scalance_x307-3ld_firmware, cpe:/o:siemens:scalance_x308-2_firmware, cpe:/o:siemens:scalance_x308-2ld_firmware, cpe:/o:siemens:scalance_x308-2lh_firmware, cpe:/o:siemens:scalance_x308-2lh%2b_firmware, cpe:/o:siemens:scalance_x308-2m_firmware, cpe:/o:siemens:scalance_x308-2m_poe_firmware, cpe:/o:siemens:scalance_x308-2m_ts_firmware, cpe:/o:siemens:scalance_x310_firmware, cpe:/o:siemens:scalance_x310fe_firmware, cpe:/o:siemens:scalance_x320-1_fe_firmware, cpe:/o:siemens:scalance_x320-1-2ld_fe_firmware, cpe:/o:siemens:scalance_x408-2_firmware, cpe:/o:siemens:scalance_xf201-3p_irt_firmware, cpe:/o:siemens:scalance_xf202-2p_irt_firmware, cpe:/o:siemens:scalance_xf204_firmware, cpe:/o:siemens:scalance_xf204-2_firmware, cpe:/o:siemens:scalance_xf204-2ba_irt_firmware, cpe:/o:siemens:scalance_xf204irt_firmware, cpe:/o:siemens:scalance_xf206-1_firmware, cpe:/o:siemens:scalance_xf208_firmware, cpe:/o:siemens:scalance_xr324-12m_firmware, cpe:/o:siemens:scalance_xr324-12m_ts_firmware, cpe:/o:siemens:scalance_xr324-4m_eec_firmware, cpe:/o:siemens:scalance_xr324-4m_poe_firmware, cpe:/o:siemens:scalance_xr324-4m_poe_ts_firmware, cpe:/o:siemens:simatic_cp_443-1_advanced_firmware, cpe:/o:siemens:simatic_cp_443-1_firmware

Required KB Items: Tenable.ot/Siemens

Exploit Ease: No known exploits are available

Patch Publication Date: 4/14/2020

Vulnerability Publication Date: 4/14/2020

Reference Information

CVE: CVE-2019-19301

CWE: 400