CVE-2022-26380
📋 TL;DR
This vulnerability affects Siemens SCALANCE industrial network switches. It allows attackers to trigger device reboots by sending specially crafted SNMP requests that exploit improper validation of SNMP keys. Organizations using affected SCALANCE switches in industrial control systems are at risk.
💻 Affected Systems
- SCALANCE X302-7 EEC
- SCALANCE X304-2FE
- SCALANCE X306-1LD FE
- SCALANCE X307-2 EEC
- SCALANCE X307-3
- SCALANCE X307-3LD
- SCALANCE X308-2
- SCALANCE X308-2LD
- SCALANCE X308-2LH
- SCALANCE X308-2LH+
- SCALANCE X308-2M
- SCALANCE X308-2M PoE
- SCALANCE X308-2M TS
- SCALANCE X310
- SCALANCE X310FE
- SCALANCE X320-1 FE
- SCALANCE X320-1-2LD FE
- SCALANCE X408-2
- SCALANCE XR324-12M
- SCALANCE XR324-12M TS
- SCALANCE XR324-4M EEC
- SCALANCE XR324-4M PoE
- SIPLUS NET SCALANCE X308-2
📦 What is this software?
Scalance Xr324 4m Poe Ts Firmware by Siemens
🎯 Exploit Status
Exploitation requires network access to SNMP service (UDP port 161). No authentication is required if SNMP is configured with default or weak community strings.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: V4.1 or later
Vendor Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-836527.pdf
Restart Required: Yes
Instructions:
1. Download firmware V4.1 or later from Siemens Industrial Network Support
2. Backup current configuration
3. Upload new firmware via web interface or TFTP
4. Reboot device after firmware update
5. Restore configuration if needed
🔧 Temporary Workarounds
Disable SNMP
allCompletely disable SNMP service on affected devices if not required for monitoring.
Web Interface: Configuration > SNMP > Disable SNMP
CLI: no snmp-server enable
Restrict SNMP Access
allLimit SNMP access to trusted management networks using firewall rules.
Web Interface: Security > Firewall > Add rule to block UDP 161 from untrusted networks
CLI: ip access-list extended SNMP-ACL; deny udp any any eq snmp; permit ip any any
🧯 If You Can't Patch
- Segment affected switches in isolated network zones with strict firewall rules blocking SNMP from untrusted networks.
- Implement network monitoring to detect anomalous SNMP traffic patterns and potential exploitation attempts.
🔍 How to Verify
Check if Vulnerable:
Check firmware version via web interface (System > Device Information) or CLI (show version). If version is below V4.1 and SNMP is enabled, device is vulnerable.Check Version:
show versionVerify Fix Applied:
Confirm firmware version is V4.1 or higher and test SNMP functionality with legitimate queries to ensure proper validation.📡 Detection & Monitoring
Log Indicators:
- Multiple SNMP requests from single source followed by device reboot events
- SNMP error logs showing invalid OID requests
Network Indicators:
- UDP port 161 traffic from unexpected sources
- SNMP requests with unusual OID patterns
SIEM Query:
source_port:161 AND (event_type:reboot OR device_status:down) WITHIN 5 MINUTES