Full Report
Multiple SCALANCE devices are affected by several vulnerabilities that could allow an attacker to inject code, retrieve data as debug information as well as user CLI passwords or set the CLI to an irresponsive state. Siemens has released updates for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Multiple Flaws in Siemens SCALANCE and RUGGEDCOM Devices
## CVE Details
- **CVE-2022-34821**: CVSS 7.6 (High) | CWE-78: OS Command Injection
- **CVE-2022-46140**: CVSS 6.5 (Medium) | CWE-200: Exposure of Sensitive Information
- **CVE-2022-46142**: CVSS 5.1 (Medium) | CWE-257: Storing Passwords in a Recoverable Format
- **CVE-2022-46143**: CVSS 2.7 (Low) | CWE-1284: Improper Validation of Specified Quantity
- **CVE-2022-46144**: CVSS 6.5 (Medium) | CWE-664: Improper Resource Control
## Affected Systems
- **Products**:
- SCALANCE M-800 family (including S615, MUM-800, and RM1224)
- RUGGEDCOM RM1224 family
- SCALANCE W-700 IEEE 802.11ax family (WAB762, WAM763, WAM766)
- SCALANCE XB-200, XC-200, XP-200, XF-200BA, XR-300WG, and XR-500 families
- **Versions**:
- Various versions prior to V3.0.0, V7.2, or V2.0.0 depending on the specific model.
- **Configurations**:
- Systems with CLI access enabled, TFTP services active, or those where debug information and configuration backups are accessible to unauthorized users.
## Vulnerability Description
This advisory covers five distinct security flaws:
1. **OS Command Injection (CVE-2022-34821)**: Improper neutralization of special elements in CLI commands allows an authenticated user to execute arbitrary code with root privileges.
2. **Information Exposure (CVE-2022-46140)**: Debug information accessible via the web interface or CLI may contain sensitive system data.
3. **Recoverable Passwords (CVE-2022-46142)**: User CLI passwords are included in configuration backups in a format that can be reversed/recovered.
4. **Uninitialized Buffer Read (CVE-2022-46143)**: Incorrect TFTP block size validation allows an attacker to read uninitialized memory buffers.
5. **Denial of Service (CVE-2022-46144)**: Improper resource cleanup after a forcefully terminated SSH session can cause the CLI (SSH and Serial) to become unresponsive.
## Exploitation
- **Status**: Not currently reported as exploited in the wild; No PoC publicly mentioned in the advisory.
- **Complexity**: Low
- **Attack Vector**:
- **Network**: CVE-2022-34821, 46140, 46143, 46144
- **Physical**: CVE-2022-46142 (requires access to backup files or physical console)
## Impact
- **Confidentiality**: High (Code execution, password recovery, and memory leaks).
- **Integrity**: Low (Limited by the specific vulnerability type).
- **Availability**: High (CLI service can be rendered completely unresponsive).
## Remediation
### Patches
Siemens recommends updating to the following versions or later:
- **SCALANCE M-800 / RUGGEDCOM RM1224**: Update to V7.2
- **SCALANCE W-700 (802.11ax)**: Update to V3.0.0 (or V2.0.0 for specific models)
- **SCALANCE X-200/X-300/X-500**: Refer to specific fix versions in the Siemens advisory.
### Workarounds
- Protect network access to the devices with firewalls.
- Disable unused services (e.g., TFTP, SSH) if not required for operations.
- Ensure only trusted personnel have physical access to the hardware and configuration backups.
## Detection
- **Indicators of Compromise**: Monitor for unexpected SSH disconnections followed by loss of CLI access; audit CLI logs for unusual command strings containing shell metacharacters (`;`, `&`, `|`).
- **Detection methods**: Vulnerability scanners updated with the latest Siemens NAS/OVAL definitions; manual version checks against the advisory.
## References
- **Siemens Advisory SSA-413565**: hxxts://cert-portal.siemens.com/productcert/pdf/ssa-413565.pdf
- **Siemens ProductCERT**: hxxts://www.siemens.com/cert/advisories
- **Update Link**: hxxts://support.industry.siemens.com/cs/ww/en/view/109817007/