Lucene search
This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.TENABLE_OT_SIEMENS_CVE-2020-28395.NASLHistoryApr 11, 2023 - 12:00 a.m.
Siemens SCALANCE X Switches Use of Hard-Coded Cryptographic Key (CVE-2020-28395)
2023-04-1100:00:00
This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
7
A vulnerability has been identified in SCALANCE X-200RNA switch family (All versions < V3.2.7), SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants) (All versions < V4.1.0). Devices do not create a new unique private key after factory reset. An attacker could leverage this situation to a man-in-the-middle situation and decrypt previously captured traffic.
This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(500968);
script_version("1.4");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/03/04");
script_cve_id("CVE-2020-28395");
script_name(english:"Siemens SCALANCE X Switches Use of Hard-Coded Cryptographic Key (CVE-2020-28395)");
script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
script_set_attribute(attribute:"description", value:
"A vulnerability has been identified in SCALANCE X-200RNA switch family
(All versions < V3.2.7), SCALANCE X-300 switch family (incl. X408 and
SIPLUS NET variants) (All versions < V4.1.0). Devices do not create a
new unique private key after factory reset. An attacker could leverage
this situation to a man-in-the-middle situation and decrypt previously
captured traffic.
This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/pdf/ssa-274900.pdf");
script_set_attribute(attribute:"see_also", value:"https://us-cert.cisa.gov/ics/advisories/icsa-21-012-02");
script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.
Siemens recommends applying updates where available:
- SCALANCE X-200 switch family (incl. SIPLUS NET variants): Update to v5.2.5 or later
- SCALANCE X-200RNA switch family: Update to v3.2.7 or later
- SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants): Update to v4.1.0 or later
- SCALANCE X-200IRT switch family (incl. SIPLUS NET variants): Update to v5.5.0 or later
Siemens has identified the following specific workarounds and mitigations users can apply to reduce the risk:
- Update the default self-signed device X.509 certificates with own trusted certificate.
- Update the default hardcoded X.509 certificates from the firmware image (fingerprints SHA-1:
F2:C8:3B:8F:86:27:74:AA:60:EC:D4:A0:CF:0D:BE:A6:D1:FE:22:12 and SHA-256: 25:60:DB:B3:
F9:07:9D:69:0E:DD:A9:EB:4E:1C:D5:8E:AF:79:16:C3:C8:13:A6:F6:59:AD:05:E4:6F:77:F7:72)
As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate
mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the
environment according to the Siemens operational guidelines for Industrial Security and following the recommendations in
the product manuals.
For additional information, please refer to Siemens Security Advisory SSA-274900");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-28395");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_cwe_id(321);
script_set_attribute(attribute:"vuln_publication_date", value:"2021/01/12");
script_set_attribute(attribute:"patch_publication_date", value:"2021/01/12");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/04/11");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_x-200rna_series_firmware");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_x-300_series_firmware");
script_set_attribute(attribute:"generated_plugin", value:"former");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Tenable.ot");
script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("tenable_ot_api_integration.nasl");
script_require_keys("Tenable.ot/Siemens");
exit(0);
}
include('tenable_ot_cve_funcs.inc');
get_kb_item_or_exit('Tenable.ot/Siemens');
var asset = tenable_ot::assets::get(vendor:'Siemens');
var vuln_cpes = {
"cpe:/o:siemens:scalance_x-200rna_series_firmware" :
{"versionEndExcluding" : "3.2.7", "family" : "SCALANCEX200"},
"cpe:/o:siemens:scalance_x-300_series_firmware" :
{"versionEndExcluding" : "4.1.0", "family" : "SCALANCEX300"}
};
tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);
| Vendor | Product | Version | CPE |
|---|---|---|---|
| siemens | scalance_x-200rna_series_firmware | cpe:/o:siemens:scalance_x-200rna_series_firmware | |
| siemens | scalance_x-300_series_firmware | cpe:/o:siemens:scalance_x-300_series_firmware |
Related
cvelist
cvelist
CVE-2020-28395
2021-01-12 00:00:00
cve
cve
CVE-2020-28395
2021-01-12 21:15:00
prion
prion
Design/Logic Flaw
2021-01-12 21:15:00
ics
ics
Siemens SCALANCE X Switches (Update C)
2022-12-16 12:00:00
Related for TENABLE_OT_SIEMENS_CVE-2020-28395.NASL