Siemens SCALANCE X Switches (Update A) (ICSA-18-163-02) – Products Used in the Water and Wastewater and Energy Sectors

January 14, 2020

CISA has updated this advisory with additional information on the affected products and mitigating measures. Read the advisory at CISA.

June 14, 2018

The NCCIC has released an advisory on a cross-site scripting vulnerability in Siemens SCALANCE X Switches. The following versions of products are affected: for SCALANCE X-200, all versions prior to v5.2.3; for SCALANCE X-200 IRT, all versions prior to 5.4.1; for SCALANCE X300, all versions. Successful exploitation of these vulnerabilities could allow an attacker to store script code on the website and execute cross-site scripting (XSS), affecting the website’s confidentiality, integrity, and availability. However, no known public exploits specifically target these vulnerabilities, and high skill level would be needed to exploit them. Siemens has provided updates for SCALANCE X-200 and X-200 IRT to fix the vulnerabilities. As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. The NCCIC also recommends a series of defensive measures to minimize the risk of exploitation of these vulnerabilities. NCCIC/ICS-CERT.