Full Report
Siemens SCALANCE industrial solutions are affected by Dnsmasq vulnerabilities. An attacker could be able to execute arbitrary code or conduct a DoS attack.
Analysis Summary
# Vulnerability: Dnsmasq Flaws in Siemens SCALANCE Industrial Solutions
## CVE Details
*Note: This summary covers the primary critical vulnerabilities identified in the Siemens SCALANCE implementation of Dnsmasq (commonly referred to as "DNSpooq" or the 2017 Google Security findings).*
- **CVE ID:** CVE-2017-14491 (Heap-based buffer overflow)
- **CVSS Score:** 9.8 (Critical)
- **CWE:** CWE-122 (Heap-based Buffer Overflow)
- **CVE ID:** CVE-2017-14492 (Heap-based buffer overflow)
- **CVSS Score:** 7.5 (High)
- **CWE:** CWE-122
- **CVE ID:** CVE-2017-14493 (Stack-based buffer overflow)
- **CVSS Score:** 7.5 (High)
- **CWE:** CWE-121
- **CVE ID:** CVE-2017-14496 (Denial of Service)
- **CVSS Score:** 7.5 (High)
- **CWE:** CWE-400
## Affected Systems
- **Products:** Siemens SCALANCE M-800, S615, and W-700 series industrial routers/modules.
- **Versions:** All versions prior to the remediated firmware updates (typically firmware versions earlier than V6.4 / V5.4 depending on specific model).
- **Configurations:** Systems where the internal Dnsmasq service is enabled for DNS forwarding or DHCP services.
## Vulnerability Description
The vulnerabilities exist in **Dnsmasq**, a lightweight DNS forwarder and DHCP server used within the Siemens SCALANCE firmware.
- **CVE-2017-14491** is the most severe, involving a heap-based buffer overflow in the DNS response handling code. By sending specially crafted DNS packets, an attacker can trigger memory corruption.
- Other flaws include insufficient validation of packet boundaries, allowing for stack-based overflows or memory exhaustion, potentially leading to remote code execution (RCE) or a permanent crash of the networking service.
## Exploitation
- **Status:** PoC available (Public exploits were released following the 2017 Google security research disclosure).
- **Complexity:** Medium (Requires crafting specific DNS packets).
- **Attack Vector:** Network (The attacker must be able to send packets to the device's DNS service).
## Impact
- **Confidentiality:** High (Potential for RCE leads to full system compromise).
- **Integrity:** High.
- **Availability:** High (Device may crash or be rendered unresponsive).
## Remediation
### Patches
Siemens released firmware updates for the affected SCALANCE families. Users are advised to update to the following or newer versions:
- **SCALANCE M-800 / S615:** Update to v5.0 or later.
- **SCALANCE W-700 IEEE 802.11n:** Update to v6.3.0 or later.
- **SCALANCE W-1700 IEEE 802.11ac:** Update to v1.0.1 or later.
### Workarounds
- **Disable DNS Services:** If the DNS forwarding/DHCP functionality of the SCALANCE device is not required, disable it in the device configuration.
- **Network Segmentation:** Use firewalls to restrict access to the DNS (UDP/53) and DHCP (UDP/67, 68) ports to trusted internal hosts only.
- **Filter Inbound DNS:** Ensure the device does not accept DNS responses from untrusted external sources.
## Detection
- **Indicators of Compromise:** Unexpected reboots of SCALANCE hardware; unusual DNS traffic patterns; presence of malformed DNS packets targeting the device's IP.
- **Detection methods and tools:** Use Intrusion Detection Systems (IDS) with signatures for CVE-2017-14491. Siemens provides the "PRONETA" tool or the web-based management interface to verify current firmware versions.
## References
- **Vendor Advisory (Siemens):** hxxps[://]cert-portal[.]siemens[.]com/productcert/pdf/ssa-941426[.]pdf
- **Kaspersky ICS CERT:** hxxps[://]ics-cert[.]kaspersky[.]com/publications/2017/12/05/dnsmasq-vulnerabilities-affect-siemens-scalance-solutions/
- **NIST NVD (CVE-2017-14491):** hxxps[://]nvd[.]nist[.]gov/vuln/detail/CVE-2017-14491