Full Report
SCALANCE M-800 family before V8.2 is affected by multiple vulnerabilities. Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in SCALANCE M-800 and RUGGEDCOM RM1224
## CVE Details
This advisory covers 16 distinct CVEs. The most critical are highlighted below:
- **CVE-2024-50572**: CVSS 7.2 (High) / CVSS v4.0 8.6 (High) - CWE-74: Injection
- **CVE-2024-50558**: CVSS 7.5 (High) - CWE-306: Missing Authentication
- **CVE-2024-28882**: CVSS 7.5 (High) - CWE-119: Memory Corruption
- **CVE-2024-50557**: CVSS 7.5 (High) - CWE-287: Improper Authentication
- **Other IDs**: CVE-2021-3506, CVE-2023-28450, CVE-2023-49441, CVE-2024-2511, CVE-2024-4603, CVE-2024-4741, CVE-2024-5594, CVE-2024-26306, CVE-2024-26925, CVE-2024-50559, CVE-2024-50560, CVE-2024-50561.
## Affected Systems
- **Products**:
- SCALANCE M-800 family (including S615, MUM-800, M804PB, M812, M816, M826, M874, M876).
- RUGGEDCOM RM1224 family (including LTE EU and NAM variants).
- **Versions**: All versions prior to V8.2.
- **Configurations**: Systems using web-based management, SSH, Telnet, or certificate management features.
## Vulnerability Description
The SCALANCE M-800 family is affected by a range of technical flaws including:
- **Command Injection (CVE-2024-50572)**: Improper sanitization of input fields allows an authenticated administrator to spawn a system root shell.
- **Authentication Failures (CVE-2024-50558, CVE-2024-50557)**: A missing authentication check in the web interface and improper authentication during system reboots.
- **Memory Corruption (CVE-2024-28882)**: A lack of bounds checking in the web interface could lead to a Denial of Service (DoS) or code execution.
- **Credential Handling (CVE-2024-50560)**: Usernames longer than 15 characters are truncated during SSH/Telnet access, potentially allowing unauthorized access under specific conditions.
- **Path Traversal & XSS (CVE-2024-50559, CVE-2024-50561)**: Improper validation of filenames during certificate/file uploads.
## Exploitation
- **Status**: Not exploited (No reports of active exploitation in the wild or public PoC provided in the advisory).
- **Complexity**: Low to High (Varies by CVE; e.g., CVE-2024-50572 is Low complexity, while CVE-2024-50560 is High).
- **Attack Vector**: Network (Most flaws are exploitable via the network interface).
## Impact
- **Confidentiality**: High (Root shell access and authentication bypasses allow full data access).
- **Integrity**: High (Ability to modify system configurations and inject malicious code).
- **Availability**: High (Memory corruption and injection flaws can lead to total system crashes).
## Remediation
### Patches
- **Update to V8.2 or later**: Siemens recommends all users of affected SCALANCE and RUGGEDCOM devices apply the V8.2 firmware update immediately.
- Firmware Download: [https://support.industry.siemens.com/cs/ww/en/view/109976047/](https://support.industry.siemens.com/cs/ww/en/view/109976047/)
### Workarounds
- Limit access to the Web-Based Management (WBM) interface to trusted IP addresses only.
- Disable unused services such as SSH or Telnet if not required for operations.
## Detection
- **Indicators of Compromise**: Monitor for unauthorized administrative logins, unusual file uploads (specifically certificate files), and unexpected system reboots.
- **Detection Methods**: Use industrial IDS/IPS signatures for Siemens SCALANCE traffic; audit system logs for truncated usernames or shell injection attempts.
## References
- **Siemens Advisory (SSA-354112)**: [https://cert-portal.siemens.com/productcert/pdf/ssa-354112.pdf](https://cert-portal.siemens.com/productcert/pdf/ssa-354112.pdf)
- **Siemens ProductCERT**: [https://www.siemens.com/cert/advisories](https://www.siemens.com/cert/advisories)