Full Report
SCALANCE LPE9403 is affected by multiple vulnerabilities that could allow an attacker to impact its confidentiality, integrity and availability. Siemens has released an update for the SCALANCE LPE9403 and recommends to update to the latest version.
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in SCALANCE LPE9403
## CVE Details
- **CVE ID:** CVE-2023-27407
- **CVSS Score:** 9.9 (Critical)
- **CWE:** CWE-77 (Command Injection)
- **CVE ID:** CVE-2023-27408
- **CVSS Score:** 3.3 (Low)
- **CWE:** CWE-378 (Insecure Temporary File Permissions)
- **CVE ID:** CVE-2023-27409
- **CVSS Score:** 2.5 (Low)
- **CWE:** CWE-22 (Path Traversal)
- **CVE ID:** CVE-2023-27410
- **CVSS Score:** 2.7 (Low)
- **CWE:** CWE-122 (Heap-based Buffer Overflow)
## Affected Systems
- **Products:** SCALANCE LPE9403 (Local Processing Engine)
- **Versions:** All versions prior to V2.1
- **Configurations:** Systems with Web-Based Management (WBM) or SSH interfaces enabled.
## Vulnerability Description
The SCALANCE LPE9403 contains four distinct vulnerabilities:
1. **Command Injection (CVE-2023-27407):** The Web-Based Management interface fails to properly validate user input. An authenticated attacker can inject commands to execute arbitrary code as the **root** user on the underlying OS.
2. **Insecure Mutex Permissions (CVE-2023-27408):** The `i2c` mutex file is created with global read/write permissions (`-rw-rw-rw-`). An attacker with SSH access can manipulate the mutex, potentially corrupting data or interfering with i2c applications.
3. **Path Traversal (CVE-2023-27409):** The `deviceinfo` binary improperly handles the `mac` parameter. An attacker with SSH access can exploit this to read any file on the system named `address` outside of intended directories.
4. **Heap Overflow (CVE-2023-27410):** The `edgebox_web_app` binary does not check the length of backup passwords. Providing a password exceeding 255 characters causes a heap buffer overflow, leading to a Denial of Service (DoS).
## Exploitation
- **Status:** PoC available (Exploit Code Maturity: Functional/Proven according to CVSS vectors)
- **Complexity:** Low (CVE-2023-27407, 27408, 27410) to High (CVE-2023-27409)
- **Attack Vector:** Network (WBM vulnerabilities) and Local (SSH-based vulnerabilities)
## Impact
- **Confidentiality:** High (Full OS access via root command injection)
- **Integrity:** High (Ability to modify system files and mutex data)
- **Availability:** High (Critical system crash and DoS potential)
## Remediation
### Patches
- **Update to V2.1 or later:** Siemens recommends upgrading affected devices immediately.
- Firmware Download: hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/109817856/
### Workarounds
- **Network Segmentation:** Protect network access to the device using VLANs or firewalls.
- **Access Control:** Restrict access to the Web-Based Management and SSH interfaces to trusted personnel only.
- **Operational Guidelines:** Adhere to Siemens’ Industrial Security guidelines for protected IT environments.
## Detection
- **Indicators of Compromise:** Unusual root-level processes, unauthorized configuration changes, or frequent crashes of the `edgebox_web_app` service.
- **Detection Methods:** Audit web server logs for suspicious characters in input fields (Command Injection) and monitor SSH sessions for unauthorized executions of the `deviceinfo` binary.
## References
- **Siemens Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/pdf/ssa-325383[.]pdf
- **Industrial Security Guidelines:** hxxps://www[.]siemens[.]com/cert/operational-guidelines-industrial-security