Full Report
The embedded web server on affected devices contains a buffer overflow vulnerability. This could allow remote attackers to cause a denial of service (device reboot) or possibly execute arbitrary code via a malformed URL. Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Buffer Overflow in SCALANCE X Switches Web Server
## CVE Details
- **CVE ID:** CVE-2012-1802
- **CVSS Score:**
- CVSS v4.0: 8.7 (High)
- CVSS v3.1: 7.5 (High)
- **CWE:** CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
## Affected Systems
- **Products:**
- SCALANCE X414-3E
- SCALANCE X-300 family (including X408 and SIPLUS NET variants)
- SCALANCE X307-3, X307-3LD
- SCALANCE X308-2, X308-2LD, X308-2LH, X308-2LH+
- SCALANCE X310, X310FE
- **Versions:**
- SCALANCE X414-3E: All versions < V3.7.1
- SCALANCE X-300 family: All versions < V3.7.2
- **Configurations:** Devices with the embedded web server enabled and accessible via the network.
## Vulnerability Description
A classic buffer overflow exists in the embedded web server of the affected SCALANCE X switches. The flaw is triggered when the web server processes a malformed URL. Because the application fails to properly check the size of the input before copying it to a buffer, an attacker can overwrite adjacent memory. This can lead to a memory corruption state.
## Exploitation
- **Status:** PoC status not explicitly defined in advisory (Historical vulnerability since 2012).
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** None (Based on CVSS 3.1/4.0 vector provided)
- **Integrity:** None (Note: Document mentions "possibly execute arbitrary code," but CVSS vectors prioritize "Availability: High")
- **Availability:** High (Results in device reboot/Denial of Service)
## Remediation
### Patches
Siemens recommends updating to the following versions:
- **SCALANCE X414-3E:** Update to V3.7.1 or later.
- **SCALANCE X-300 family:** Update to V3.7.2 or later.
### Workarounds
- Limit network access to the device's web management interface using firewalls or VLANs.
- Disable the web server (HTTP/HTTPS) if not required for operational use.
- Adhere to the Siemens Operational Technology (OT) security concept ("Defense in Depth").
## Detection
- **Indicators of compromise:** Unexpected reboots of SCALANCE switches or intermittent loss of connectivity to the management interface.
- **Detection methods and tools:** Monitor network traffic for unusually long or malformed GET/POST requests directed at the switch's IP address. Use industrial IDS signatures tailored for CVE-2012-1802.
## References
- **Vendor Advisory:** hxxps://cert-portal.siemens[.]com/productcert/html/ssa-130874.html
- **Firmware Downloads:**
- hxxps://support.industry.siemens[.]com/cs/ww/en/view/109747276/
- hxxps://support.industry.siemens[.]com/cs/ww/en/view/59868786/
- **Siemens Industrial Security:** hxxps://www.siemens[.]com/industrialsecurity