Full Report
SCALANCE M-800 family before V8.1 is affected by multiple vulnerabilities. Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Multiple Critical Vulnerabilities in SCALANCE M-800 and RUGGEDCOM RM1224 Families
## CVE Details
This advisory covers multiple vulnerabilities. Specific details (CWE, full CVSS vector breakdown) are only provided for the later CVEs listed in the source material.
| CVE ID | CVSS v3.1 Score | CVSS v4.0 Score | Severity (v4.0 Est.) | Affected Vulnerabilities |
| :--- | :--- | :--- | :--- | :--- |
| CVE-2023-44321 | Not specified | Not specified | Critical/High (Implied) | One of the vulnerabilities affecting the product. |
| CVE-2024-41976 | 7.2 (High) | 8.6 (Critical) | Critical | Improper Input Validation leading to RCE. |
| CVE-2024-41977 | 7.1 (High) | 7.3 (High) | High | Privilege Escalation due to session isolation failure. |
| CVE-2024-41978 | 6.5 (Medium) | 7.1 (High) | High | Sensitive 2FA info logged, allowing token forgery. |
**Specific Details for Known CVEs:**
* **CVE-2024-41976:**
* CWE: CWE-20: Improper Input Validation
* CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
* **CVE-2024-41977:**
* CWE: CWE-488: Exposure of Data Element to Wrong Session
* CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H
* **CVE-2024-41978:**
* CWE: CWE-532: Insertion of Sensitive Information into Log File
* CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
## Affected Systems
* **Products:** SCALANCE M-800 family (including S615, MUM-800), RUGGEDCOM RM1224 family (including specific models 6GK6108-4AM00, 6GK6108-4AM00-2BA2, 6GK6108-4AM00-2DA2), SCALANCE M804PB (6GK5804-0AP00-2AA2), SCALANCE M812-1 ADSL-Router family, SCALANCE M816-1 ADSL-Router family, SCALANCE M826-2 SHDSL-Router (6GK5826-2AB00-2AB2).
* **Versions:** All versions prior to V8.1.
* **Configurations:** All listed products are affected, regardless of specific configuration listed in the remediation table, unless V8.1 or later is installed.
## Vulnerability Description
The SCALANCE M-800 and RUGGEDCOM RM1224 product families contain multiple vulnerabilities residing in the firmware components.
1. **CVE-2024-41976 (Improper Input Validation/RCE):** An authenticated remote attacker can leverage improper validation of input fields within specific VPN configurations to potentially execute arbitrary code on the device.
2. **CVE-2024-41977 (Privilege Escalation):** An authenticated remote attacker may escalate privileges due to the web server component failing to properly enforce isolation between user sessions.
3. **CVE-2024-41978 (2FA Token Forgery):** Sensitive information related to the generation of 2FA tokens is inserted into log files, which could allow an authenticated remote attacker to forge 2FA tokens belonging to other users.
4. **CVE-2023-44321:** An additional, unspecified vulnerability affecting these products.
## Exploitation
* **Status:** Exploitation status is indicated by the presence of the E:P (Proof-of-Concept) marker in the detailed CVSS vectors for CVE-2024-41976, CVE-2024-41977, and CVE-2024-41978. This suggests **PoC is available** for these specific flaws, though widespread "Exploited in the wild" status is not confirmed by this advisory excerpt.
* **Complexity (CVE-2024-41976):** Low (AC:L) for the RCE vector.
* **Attack Vector (Primary):** Network (AV:N) for all detailed CVEs.
## Impact
* **Confidentiality:** High (For CVE-2024-41978, High impact on confidentiality).
* **Integrity:** High (For CVE-2024-41976 and CVE-2024-41977).
* **Availability:** High (For CVE-2024-41976).
## Remediation
### Patches
* **Required Action:** Update to firmware **V8.1 or a later version**.
* **Patch Location:** Siemens Support link: `https://support.industry.siemens.com/cs/ww/en/view/109971718/` (Defanged link).
### Workarounds
No specific workarounds were detailed in the provided excerpt. The primary recommendation is immediate patching.
## Detection
* **Indicators of Compromise:** Not explicitly listed, but anomalous log entries related to VPN configuration changes, privilege escalations, or unexpected 2FA token usage should be investigated.
* **Detection Methods and Tools:** Monitoring network traffic targeting the VPN service for malformed inputs (for CVE-2024-41976) and monitoring system logs for unusual session activity (for CVE-2024-41977). Specifically, checking logs for sensitive 2FA generation information (for CVE-2024-41978).
## References
* Vendor Advisory: Siemens Security Advisory SSA-087301
* General Siemens ProductCERT Inquiries: `https://www.siemens.com/cert/advisories` (Defanged link)