Full Report
The SCALANCE W1750D device is affected by Wi-Fi encryption bypass vulnerabilities (“Framing Frames”) that could allow an attacker to disclose sensitive information or to steal the victims session. Siemens has released updates for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Wi-Fi Encryption Bypass Vulnerabilities in SCALANCE W1750D ("Framing Frames")
## CVE Details
- CVE ID: CVE-2022-47522
- CVSS Score: 8.4 (High)
- CWE: CWE-20 (Improper Input Validation)
## Affected Systems
- Products: SCALANCE W1750D (JP, ROW, USA variants: 6GK5750-2HX01-1AD0, 6GK5750-2HX01-1AA0, 6GK5750-2HX01-1AB0)
- Versions: All versions prior to V8.10.0.6
- Configurations: Applicable to scenarios involving Security Context Override (SCO) and Fast Reconnect Attack, as per Aruba analysis (Scenario 1, Power Save Features, is noted as *not* affecting these products).
## Vulnerability Description
The vulnerability stems from IEEE 802.11 specifications weakness where an access point does not require purging its transmit queue before removing a client's pairwise encryption key. A physically proximate attacker can leverage this by spoofing a target's MAC address, sending Power Save frames to the Access Point, and subsequently sending authentication or re-association frames. This forces the removal of the target's security context, allowing the attacker to intercept target-destined frames, potentially in cleartext, leading to session theft or sensitive information disclosure.
## Exploitation
- Status: PoC available (Related to the underlying "Framing Frames" research, specifically for SCO and Fast Reconnect Scenarios)
- Complexity: Low (Based on the 8.4 CVSS score indicating low attack complexity aspects, though the vector is Adjacent network access.)
- Attack Vector: Adjacent Network (AV:A)
## Impact
- Confidentiality: High (C:H) - Disclosure of sensitive information, session theft.
- Integrity: High (I:H) - Potential modification or manipulation of traffic.
- Availability: High (A:H) - Potential disruption caused by connection manipulation.
## Remediation
### Patches
- Update to version **V8.10.0.6** or a later version for all affected SCALANCE W1750D models.
- **Note:** The update is available upon request from customer support.
### Workarounds
- No specific workarounds are explicitly detailed in this advisory beyond adhering to general security recommendations, which include protecting network access and configuring the environment according to Siemens' operational guidelines for Industrial Security.
## Detection
- The advisory does not list specific Indicators of Compromise (IOCs).
- Detection would require monitoring for unusual Wi-Fi frame sequences that manipulate client power save states or rapidly initiate re-authentication/re-association procedures targeting specific clients on the network, potentially indicating an attack matching the SCO or Fast Reconnect methodologies.
## References
- Siemens Advisory: SSA-516174
- Aruba Advisory: ARUBA-PSA-2023-005 (Defanged URL: hxxps://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-005.txt)
- Original Research Paper (Defanged URL: hxxps://papers.mathyvanhoef.com/usenix2023-wifi.pdf)
- Siemens Industrial Security Operational Guidelines (Defanged URL: hxxps://www.siemens.com/cert/operational-guidelines-industrial-security)