Full Report
SCALANCE M-800 family before V7.2.2 is affected by multiple vulnerabilities. Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in SCALANCE M-800 Family
## CVE Details
| CVE ID | CVSS Score (v3.1) | Severity | CWE |
| :--- | :--- | :--- | :--- |
| CVE-2023-44317 | 7.2 | High | CWE-349 (Acceptance of Extraneous Untrusted Data With Trusted Data) |
| CVE-2023-44320 | 4.3 | Medium | CWE-425 (Direct Request ('Forced Browsing')) |
| CVE-2023-49692 | 7.2 | High | CWE-78 (OS Command Injection) |
## Affected Systems
- **Products:** SCALANCE M-800 family (including S615, MUM-800, RM1224), RUGGEDCOM RM1224 family, SCALANCE M804PB, SCALANCE M812-1 ADSL-Router family, SCALANCE M816-1 ADSL-Router family.
- **Versions:** All versions prior to V7.2.2.
- **Configurations:** Specific product listings detail the affected SKUs (e.g., 6GK6108-4AM00, 6GK5804-0AP00-2AA2, etc.).
## Vulnerability Description
This advisory covers multiple flaws:
1. **CVE-2023-44317 (Arbitrary Code Execution):** Affected products fail to properly validate the content of uploaded X509 certificates. An attacker who possesses administrative privileges can leverage this flaw to execute arbitrary code on the device.
2. **CVE-2023-44320 (UI Modification):** Affected devices do not adequately validate authentication when certain modifications are made via the web interface. This allows an authenticated attacker to influence the user interface settings configured by an administrator.
3. **CVE-2023-49692 (OS Command Injection):** A vulnerability exists in the parsing of the IPSEC configuration. This flaw, which requires high privileges, could allow a malicious local administrator to issue system-level commands after a new connection is established.
## Exploitation
- **Status:** For all three CVEs, the advisory indicates that Proof-of-Concept (PoC) information is present (`E:P` in the vector string).
- **Complexity:**
- CVE-2023-44317 & CVE-2023-49692: Low Complexity (`AC:L`)
- CVE-2023-44320: Low Complexity (`AC:L`)
- **Attack Vector:**
- CVE-2023-44317 & CVE-2023-49692: Network (`AV:N`)
- CVE-2023-44320: Network (`AV:N`)
- **Required Privileges:**
- CVE-2023-44317 & CVE-2023-49692: High (`PR:H`)
- CVE-2023-44320: Low (`PR:L`)
## Impact
| CVE ID | Confidentiality | Integrity | Availability |
| :--- | :--- | :--- | :--- |
| CVE-2023-44317 | High | High | High |
| CVE-2023-44320 | None | Low | None |
| CVE-2023-49692 | High | High | High |
## Remediation
### Patches
- **Action:** Update all affected SCALANCE M-800 family, RUGGEDCOM RM1224 family, and related models to **Version V7.2.2 or later**.
### Workarounds
- No specific workarounds are listed in the provided summary text. The primary recommendation is immediate patching.
## Detection
- The advisory summary does not detail specific Indicators of Compromise (IOCs) or detection methods beyond ensuring the product is running the patched version.
- Detection should focus on monitoring for unusual X509 certificate uploads (`CVE-2023-44317`), unauthorized web interface changes by low-privileged users (`CVE-2023-44320`), and suspicious IPSEC configuration activities (`CVE-2023-49692`).
## References
- Vendor Advisory Link (General): hxxps://www.siemens.com/cert/advisories
- Patch/Solution Information: hxxps://support.industry.siemens.com/cs/ww/en/view/109822615/