First published: Tue Jan 12 2021(Updated: )
A vulnerability has been identified in SCALANCE X-200RNA switch family (All versions < V3.2.7), SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants) (All versions < V4.1.0). Devices do not create a new unique private key after factory reset. An attacker could leverage this situation to a man-in-the-middle situation and decrypt previously captured traffic.
Credit: productcert@siemens.com
Affected Software | Affected Version | How to fix |
---|---|---|
Siemens Scalance Xr324-12m Firmware | <4.1.0 | |
Siemens Scalance Xr324-12m | ||
Siemens Scalance Xr324-12m Ts Firmware | <4.1.0 | |
Siemens Scalance Xr324-12m Ts | ||
Siemens Scalance Xr324-4m Eec Firmware | <4.1.0 | |
Siemens Scalance Xr324-4m Eec | ||
Siemens Scalance Xr324-4m Poe Firmware | <4.1.0 | |
Siemens Scalance Xr324-4m Poe | ||
Siemens Scalance Xr324-4m Poe Ts Firmware | <4.1.0 | |
Siemens Scalance Xr324-4m Poe Ts | ||
Siemens Scalance Xr324wg Firmware | <4.1.0 | |
Siemens Scalance Xr324wg | ||
Siemens Scalance Xr326-2c Poe Wg Firmware | <4.1.0 | |
Siemens Scalance Xr326-2c Poe Wg | ||
Siemens Scalance Xr328-4c Wg Firmware | <4.1.0 | |
Siemens Scalance Xr328-4c Wg | ||
Siemens SCALANCE X-200 switch family (incl. SIPLUS NET variants) | <5.2.5 | 5.2.5 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The vulnerability ID is CVE-2020-28395.
The SCALANCE X-200RNA switch family (All versions < V3.2.7) and SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants) (All versions < V4.1.0) are affected by this vulnerability.
The severity of CVE-2020-28395 is medium with a CVSS score of 5.9.
An attacker could exploit this vulnerability to leverage the lack of a unique private key after a factory reset.
Yes, there are security advisories available for this vulnerability. You can find them at the following references: [link1](https://cert-portal.siemens.com/productcert/pdf/ssa-274900.pdf), [link2](https://us-cert.cisa.gov/ics/advisories/icsa-21-012-02).