Three denial-of-service vulnerabilities have been uncovered in the integrated web server of SCALANCE X-200 / X-200IRT / X-300 switch families. Descriptions are available in the Siemens SSA-139628 security advisory.
The CVE-2020-15799 vulnerability could allow an unauthenticated user to reboot the device by using a special URL on the device’s integrated web server.
The CVE-2020-15800 vulnerability could cause a heap overflow condition, which in turn could stop the integrated web server on the device temporarily.
Finally, there is the CVE-2020-25226 vulnerability, which could also cause a buffer overflow condition, but once it is exploited the web server is permanently disabled.
Vulnerable devices are all switches from the three families mentioned in the SSA-274900 security advisory, with just a few exceptions. Specifically, version 4.1.0 of the firmware for devices in the SCALANCE X 300 series (and only them) is not vulnerable to CVE-2020-15799 and CVE-2020-25226.
The vendor provides a workaround for these vulnerabilities: using firewall rules to restrict access to the integrated web servers on vulnerable devices (requests on port 443/tcp).
Note that restricting access to this and other ports on the devices would also be useful in terms of preventing MitM attacks, which can be accomplished by exploiting the SSA-274900 vulnerabilities. Based on defense-in-depth principles, it is a good idea to limit access to the device’s ports allowed by firewall rules to the required minimum. This applies even if the certificates have been updated as per vendor recommendations and device firmware has been updated, as well.
Nevertheless, the above measures cannot prevent a CVE-2020-15799 exploitation scenario in which an external attacker surreptitiously sends a device reboot URL to a user inside the network and the user inadvertently follows the link. This scenario in effect implements a cross-site request forgery (CSRF) attack. Security updates that could prevent this scenario are as yet unavailable. Hopefully, they will appear soon.
Vulnerability advisory publication date: 12 January 2021