CVE-2020-15800

Q: How do I fix CVE-2020-15800?

1. Download firmware update from Siemens support portal. 2. Backup current configuration. 3. Upload and apply firmware update via web interface or management tools. 4. Reboot device to complete installation. 5. Verify firmware version after reboot.

Q: What is the severity of CVE-2020-15800?

CVE-2020-15800 has a CVSS score of 9.8 (CRITICAL). A heap overflow vulnerability in the webserver of Siemens SCALANCE X-200 and X-300 industrial switches allows remote attackers to crash the webserver by sending specially crafted requests. This affects all versions before specified patches. The vulnerability could disrupt network management interfaces on these industrial networking devices.

9.8 CRITICAL

Denial of Service

📋 TL;DR

A heap overflow vulnerability in the webserver of Siemens SCALANCE X-200 and X-300 industrial switches allows remote attackers to crash the webserver by sending specially crafted requests. This affects all versions before specified patches. The vulnerability could disrupt network management interfaces on these industrial networking devices.

💻 Affected Systems

Products:

SCALANCE X-200 switch family (incl. SIPLUS NET variants)
SCALANCE X-200IRT switch family (incl. SIPLUS NET variants)
SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants)

Versions: All versions < V5.2.5 for X-200, < V5.5.0 for X-200IRT, < V4.1.0 for X-300

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All affected devices with webserver enabled are vulnerable by default. The webserver is typically enabled for management.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete denial of service of the webserver management interface, potentially requiring physical access to restart the device if the webserver fails to recover automatically.

🟠

Likely Case

Temporary disruption of the web-based management interface, requiring the webserver to restart and potentially causing brief management access loss.

🟢

If Mitigated

Minimal impact if devices are patched or isolated from untrusted networks, with only authorized management traffic allowed.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires no authentication and involves sending crafted HTTP requests to the webserver, making exploitation relatively straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: V5.2.5 for X-200, V5.5.0 for X-200IRT, V4.1.0 for X-300

Vendor Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-139628.pdf

Restart Required: Yes

Instructions:

1. Download firmware update from Siemens support portal. 2. Backup current configuration. 3. Upload and apply firmware update via web interface or management tools. 4. Reboot device to complete installation. 5. Verify firmware version after reboot.

🔧 Temporary Workarounds

Disable webserver

all

Disable the vulnerable webserver component if web management is not required

Configure via CLI or management interface to disable HTTP/HTTPS services

Network segmentation

all

Restrict access to switch management interfaces to trusted networks only

Configure firewall rules to allow management access only from specific IP ranges

🧯 If You Can't Patch

Isolate affected switches from untrusted networks using VLANs or physical segmentation
Implement strict network access controls to limit who can reach the management interfaces

🔍 How to Verify

Check if Vulnerable:

Check firmware version via web interface or CLI. If version is below patched versions listed above, device is vulnerable.

Check Version:

Via web interface: System Information page. Via CLI: 'show version' or similar command

Verify Fix Applied:

Confirm firmware version matches or exceeds patched versions: V5.2.5+ for X-200, V5.5.0+ for X-200IRT, V4.1.0+ for X-300

📡 Detection & Monitoring

Log Indicators:

Webserver crash/restart events
Unusual HTTP request patterns to management interface
Multiple connection attempts to webserver

Network Indicators:

Unusual HTTP traffic to switch management ports (typically 80/443)
Crafted HTTP requests with abnormal patterns

SIEM Query:

source_ip="switch_management_ip" AND (http_request CONTAINS "malformed" OR http_status="500")

📊 Metadata

CVE ID: CVE-2020-15800

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-122

Published: January 12, 2021

Last Updated: November 21, 2024

🔗 References

https://cert-portal.siemens.com/productcert/pdf/ssa-139628.pdf Vendor Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-139628.pdf Vendor Advisory

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Scalance X200 4pirt Firmware by Siemens

Scalance X201 3pirt Firmware by Siemens

Scalance X202 2irt Firmware by Siemens

Scalance X202 2pirt Firmware by Siemens

Scalance X202 2pirt Siplus Net Firmware by Siemens

Scalance X204irt Firmware by Siemens

Scalance X307 3 Firmware by Siemens

Scalance X307 3ld Firmware by Siemens

Scalance X308 2 Firmware by Siemens

Scalance X308 2ld Firmware by Siemens

Scalance X308 2lh Firmware by Siemens

Scalance X308 2lh Firmware by Siemens

Scalance X308 2m Firmware by Siemens

Scalance X308 2m Ts Firmware by Siemens

Scalance X310 Firmware by Siemens

Scalance X310fe Firmware by Siemens

Scalance X320 1fe Firmware by Siemens

Scalance X320 3ldfe Firmware by Siemens

Scalance Xb205 3 Firmware by Siemens

Scalance Xb205 3ld Firmware by Siemens

Scalance Xb208 Firmware by Siemens

Scalance Xb213 3 Firmware by Siemens

Scalance Xb213 3ld Firmware by Siemens

Scalance Xb216 Firmware by Siemens

Scalance Xc206 2 Firmware by Siemens

Scalance Xc206 2g Poe Eec Firmware by Siemens

Scalance Xc206 2g Poe Firmware by Siemens

Scalance Xc206 2sfp Eec Firmware by Siemens

Scalance Xc206 2sfp Firmware by Siemens

Scalance Xc206 2sfp G \(e\/ip\) Firmware by Siemens

Scalance Xc206 2sfp G Eec Firmware by Siemens

Scalance Xc206 2sfp G Firmware by Siemens

Scalance Xc208 Firmware by Siemens

Scalance Xc208eec Firmware by Siemens

Scalance Xc208g \(e\/ip\) Firmware by Siemens

Scalance Xc208g Eec Firmware by Siemens

Scalance Xc208g Firmware by Siemens

Scalance Xc208g Poe Firmware by Siemens

Scalance Xc216 4c Firmware by Siemens

Scalance Xc216 4c G \(e\/ip\) Firmware by Siemens

Scalance Xc216 4c G Eec Firmware by Siemens

Scalance Xc216 4c G Firmware by Siemens

Scalance Xc216 Firmware by Siemens

Scalance Xc216eec Firmware by Siemens

Scalance Xc224 4c G \(e\/ip\) Firmware by Siemens

Scalance Xc224 4c G Eec Firmware by Siemens

Scalance Xc224 4c G Firmware by Siemens

Scalance Xc224 Firmware by Siemens

Scalance Xf201 3p Irt Firmware by Siemens

Scalance Xf202 2p Irt Firmware by Siemens

Scalance Xf204 2 Firmware by Siemens

Scalance Xf204 2ba Dna Firmware by Siemens

Scalance Xf204 2ba Irt Firmware by Siemens

Scalance Xf204 Dna Firmware by Siemens

Scalance Xf204 Firmware by Siemens

Scalance Xf204irt Firmware by Siemens

Scalance Xf206 1 Firmware by Siemens

Scalance Xf208 Firmware by Siemens

Scalance Xp208 \(eip\) Firmware by Siemens

Scalance Xp208 Firmware by Siemens

Scalance Xp208eec Firmware by Siemens

Scalance Xp208poe Eec Firmware by Siemens

Scalance Xp216 \(eip\) Firmware by Siemens

Scalance Xp216 Firmware by Siemens

Scalance Xp216eec Firmware by Siemens

Scalance Xp216poe Eec Firmware by Siemens