PT-2023-6990 · Siemens · Scalance Xb205-3
Published
2023-11-14
·
Updated
2025-01-15
·
CVE-2023-44318
CVSS v4.0
6.9
Medium
| Vector | AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
SCALANCE XB205-3 (SC, PN) versions prior to V4.5
SCALANCE XB205-3 (ST, E/IP) versions prior to V4.5
Description
The issue is related to the use of a hardcoded cryptographic key in the software of industrial switches. This could allow a remote attacker to gain unauthorized access to protected information. Affected devices use this key to obfuscate configuration backups that administrators can export, potentially enabling an authenticated attacker with administrative privileges or an attacker who obtains a configuration backup to extract configuration information from the exported file.
Recommendations
For SCALANCE XB205-3 (SC, PN) versions prior to V4.5, update to version V4.5 or later to resolve the issue.
For SCALANCE XB205-3 (ST, E/IP) versions prior to V4.5, update to version V4.5 or later to resolve the issue.
As a temporary workaround, consider restricting access to configuration backups and limiting administrative privileges to minimize the risk of exploitation.
Fix
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Scalance Xb205-3