Siemens Industrial Products DROWN Vulnerability (Update C)

CVEs (1)

Remediations

• Siemens has released updates and encourages users to apply them as soon as possible. The following is a list of the products with their corresponding updates.
• SCALANCE X300 family: Update to V4.1.0: (https://support.industry.siemens.com/cs/ww/en/view/109748080)
• SCALANCE X414: Update to V3.10.2: (https://support.industry.siemens.com/cs/ww/en/view/109747276)
• SCALANCE X200 IRT family: Update to V5.3.0: (https://support.industry.siemens.com/cs/document/109744096)
• SCALANCE X200 RNA family: Update to V3.2.5: (https://support.industry.siemens.com/cs/ww/en/view/109745413)
• SCALANCE X200 family: Update to V5.2.2: (https://support.industry.siemens.com/cs/ww/de/view/109752018)
• For ROX I devices, Siemens provides a mitigation tool and application note in SSA-327980. The mitigation tool also disables the use of SSL 2.0 and SSL 3.0 on port 10000/TCP. The mitigation tool can be obtained by submitting a support request online (https://www.siemens.com/automation/support-request) or by calling a local hotline center (https://w3.siemens.com/aspa_app/).
• Siemens recommends that users apply the following mitigations until patches are available: Protect network access to the web server (443/TCP, 10000/TCP for ROX I by default) on the devices with appropriate mechanisms.Restrict access to management interface to internal network. Apply defense-in-depth.
• As a general security measure, Siemens strongly recommends to protect network access to nonperimeter devices with appropriate mechanisms. It is advised to configure the environment according to Siemens operational guidelines in order to run the devices in a protected IT environment. (https://www.siemens.com/cert/operational-guidelines-industrial-security)
• For more information on these vulnerabilities and detailed instructions, please see Siemens Security Advisory SSA-623229 at the following location: (http://www.siemens.com/cert/advisories)

Affected Vendors

Affected Products (6)