Full Report
The SCALANCE W1750D device contains multiple vulnerabilities in the integrated OpenSSL component that could allow an attacker to read memory contents, decrypt RSA-encrypted messages or create a denial of service condition. Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Multiple OpenSSL Vulnerabilities in SCALANCE W1750D
## CVE Details
- **CVE ID:** CVE-2022-4304, CVE-2022-4450, CVE-2023-0215, CVE-2023-0286
- **CVSS Score:** 7.4 (High)
- **CWE:** CWE-20 (Improper Input Validation), CWE-476 (NULL Pointer Dereference), CWE-416 (Use After Free)
## Affected Systems
- **Products:**
- SCALANCE W1750D (JP) (6GK5750-2HX01-1AD0)
- SCALANCE W1750D (ROW) (6GK5750-2HX01-1AA0)
- SCALANCE W1750D (USA) (6GK5750-2HX01-1AB0)
- **Versions:** All versions prior to V8.10.0.9
- **Configurations:** Devices utilizing integrated OpenSSL components for web management, certificate handling, or CRL (Certificate Revocation List) checking.
## Vulnerability Description
The integrated OpenSSL component in the SCALANCE W1750D (a brand-labeled Aruba device) contains several flaws:
- **CVE-2022-4304:** A timing-based side-channel in RSA decryption (Bleichenbacher-style attack) allowing plaintext recovery.
- **CVE-2022-4450:** A double-free vulnerability triggering when parsing PEM certificates, leading to a Denial of Service (DoS).
- **CVE-2023-0215:** A Use-After-Free flaw in `BIO_new_NDEF` potentially leading to DoS.
- **CVE-2023-0286:** A high-severity type confusion flaw in `GENERAL_NAME_cmp` involving X.400 addresses. This allows an attacker to pass arbitrary pointers to `memcmp`, potentially reading memory contents or causing a DoS when CRL checking is enabled.
## Exploitation
- **Status:** PoC available for several constituent OpenSSL CVEs; no specific mention of active exploitation in the wild for this hardware.
- **Complexity:** High (Requires specific conditions like timing measurements or MALFORMED certificates/CRLs).
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Memory content disclosure, RSA decryption).
- **Integrity:** None
- **Availability:** High (Denial of Service via application crash).
## Remediation
### Patches
- **Update to V8.10.0.9 or later.**
- **Note:** Updates are available upon request from Siemens Customer Support.
### Workarounds
- **For CVE-2022-4304:** Disable the use of RSA ciphers in the web server configuration (notably, these are disabled by default).
- **For CVE-2023-0286:** Disable CRL (Certificate Revocation List) checking if possible.
- **For CVE-2022-4450:** Restrict the import of PEM certificate files from untrusted sources.
## Detection
- **Indicators of Compromise:** Unexpected crashes of the web management interface or device reboots.
- **Detection methods:** Vulnerability scanners can identify outdated OpenSSL versions or the specific firmware version (pre-V8.10.0.9) via network asset discovery.
## References
- **Siemens Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/pdf/ssa-203374[.]pdf
- **Aruba Advisory:** hxxps://www[.]arubanetworks[.]com/assets/alert/ARUBA-PSA-2023-001[.]txt
- **Operational Guidelines:** hxxps://www[.]siemens[.]com/cert/operational-guidelines-industrial-security