CVE-2022-26649
📋 TL;DR
This vulnerability affects multiple Siemens SCALANCE industrial network switches. An unauthenticated remote attacker can send specially crafted HTTP GET requests to crash affected devices, causing denial of service. All listed SCALANCE X200, X201, X202, X204, X206, X208, X212, X216, X224, XF201, XF202, XF204, XF206, and XF208 devices with firmware versions below specified thresholds are vulnerable.
💻 Affected Systems
- SCALANCE X200-4P IRT
- SCALANCE X201-3P IRT
- SCALANCE X201-3P IRT PRO
- SCALANCE X202-2IRT
- SCALANCE X202-2P IRT
- SCALANCE X202-2P IRT PRO
- SCALANCE X204-2
- SCALANCE X204-2FM
- SCALANCE X204-2LD
- SCALANCE X204-2LD TS
- SCALANCE X204-2TS
- SCALANCE X204IRT
- SCALANCE X204IRT PRO
- SCALANCE X206-1
- SCALANCE X206-1LD
- SCALANCE X208
- SCALANCE X208PRO
- SCALANCE X212-2
- SCALANCE X212-2LD
- SCALANCE X216
- SCALANCE X224
- SCALANCE XF201-3P IRT
- SCALANCE XF202-2P IRT
- SCALANCE XF204
- SCALANCE XF204-2
- SCALANCE XF204-2BA IRT
- SCALANCE XF204IRT
- SCALANCE XF206-1
- SCALANCE XF208
📦 What is this software?
Scalance X201 3p Irt Pro Firmware by Siemens
Scalance X202 2p Irt Pro Firmware by Siemens
Scalance Xf204 2ba Irt Firmware by Siemens
⚠️ Risk & Real-World Impact
Worst Case
Complete device crash requiring physical reboot, disrupting industrial network operations and potentially causing production downtime in critical infrastructure environments.
Likely Case
Denial of service affecting network connectivity for connected industrial devices, requiring manual intervention to restore functionality.
If Mitigated
Minimal impact if devices are patched, network segmented, and not directly exposed to untrusted networks.
🎯 Exploit Status
Unauthenticated remote exploitation with simple HTTP requests. No authentication required. Exploitation likely requires network access to HTTP interface.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: V5.5.2 for IRT models, V5.2.6 for non-IRT models
Vendor Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-310038.pdf
Restart Required: Yes
Instructions:
1. Download firmware update from Siemens Industrial Security website. 2. Backup current configuration. 3. Upload firmware to device via web interface or management software. 4. Apply update. 5. Reboot device. 6. Verify firmware version.
🔧 Temporary Workarounds
Disable HTTP Interface
allDisable HTTP web interface if not required for operations
Configure via web interface: System > Security > HTTP/HTTPS > Disable HTTP
Network Segmentation
allRestrict network access to SCALANCE management interfaces
Configure firewall rules to block external access to port 80/tcp on SCALANCE devices
🧯 If You Can't Patch
- Implement strict network segmentation to isolate SCALANCE devices from untrusted networks
- Disable HTTP interface entirely and use alternative management methods (CLI, SNMP, proprietary protocols)
🔍 How to Verify
Check if Vulnerable:
Check firmware version via web interface (System > Device Information) or CLI (show version). Compare against patched versions.Check Version:
Web interface: System > Device Information. CLI: show versionVerify Fix Applied:
Confirm firmware version is V5.5.2 or higher for IRT models, V5.2.6 or higher for non-IRT models. Test HTTP interface functionality.📡 Detection & Monitoring
Log Indicators:
- Device crash/reboot logs
- HTTP request logs showing malformed URIs
- Connection drops in network monitoring
Network Indicators:
- Unusual HTTP traffic to SCALANCE devices on port 80
- Multiple HTTP GET requests with unusual URI patterns
- Sudden loss of connectivity to SCALANCE devices
SIEM Query:
source="scalance_logs" AND (event_type="crash" OR event_type="reboot") OR http_uri CONTAINS "malformed_pattern"