ICS Advisory: Siemens SCALANCE XB-200/XC-200/XP-200/XF-200BA/XR-300WG Family

Summary:

As of January 10, 2023, CISA will no longer update ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. The advisory details two vulnerabilities in Siemens SCALANCE XB200/XC200/XP200/XF200/ XR300WG products:

1. Use of Hard-coded Cryptographic Key (CVE-2023-44318): Affected devices use a hardcoded key to obfuscate configuration backups, allowing an authenticated attacker to extract configuration information.
2. Uncontrolled Resource Consumption (CVE-2023-44321): Affected devices do not properly validate input lengths, leading to a denial-of-service condition.

The vulnerabilities affect various Siemens products worldwide, including energy sector devices. Siemens recommends protecting network access to devices, configuring the environment according to industrial security guidelines, and following recommendations in product manuals. CISA recommends users perform an impact analysis, risk assessment, and implement defensive measures such as minimizing network exposure, using firewalls, and secure remote access.

View the full advisory for detailed information on affected products, vulnerability overview, and mitigation recommendations.