Full Report
The products listed below do not properly authorize the change password function of the web interface. This could allow low privileged users to escalate their privileges. Siemens has released updates for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for products where updates are not, or not yet available.
Analysis Summary
# Vulnerability: Privilege Escalation in Siemens SCALANCE and RUGGEDCOM Web Interface
## CVE Details
- **CVE ID:** CVE-2022-31765
- **CVSS Score:** 8.8 (High)
- **CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:O/RC:C
- **CWE:** CWE-862: Missing Authorization
## Affected Systems
- **Products:**
- RUGGEDCOM RM1224 LTE (EU & NAM)
- SCALANCE M-800 family (M804, M812, M816, M826, M874, M876)
- SCALANCE S615 & S615 EEC
- SCALANCE SC-600 family
- SCALANCE W-700 IEEE 802.11ax family
- SCALANCE XM-400 & XR-500 family
- SCALANCE XB-200, XC-200, XP-200, XF-200BA, XR-300WG families
- **Versions:** All versions prior to the remediated firmware (generally < V7.1.2 for M-800/S615; see remediation for others).
- **Configurations:** Systems with the web-based management interface enabled.
## Vulnerability Description
The affected products contain a flaw in the web interface's "change password" functionality. The application fails to properly perform authorization checks when a user attempts to change a password. This allows an authenticated user with low privileges to bypass intended security restrictions and modify passwords for other accounts, potentially including administrative accounts, leading to full privilege escalation.
## Exploitation
- **Status:** PoC available (indicated by CVSS "E:P" - Exploit Code Maturity: Proof-of-Concept).
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Full access to device configuration and data).
- **Integrity:** High (Ability to modify device settings and user permissions).
- **Availability:** High (Ability to lock out legitimate admins or disrupt network services).
## Remediation
### Patches
Siemens recommends updating to the following versions or later:
- **SCALANCE M-800 / S615 / RUGGEDCOM RM1224:** Update to V7.1.2
- **SCALANCE SC-600:** Update to V2.3.1
- **SCALANCE W-700 (802.11ax):** Update to V2.0.0
- **SCALANCE XM-400 / XR-500:** Update to V6.5.1
- **SCALANCE XB-200 / XC-200 / XP-200 / XF-200BA / XR-300WG:** Update to V4.4
### Workarounds
If updates cannot be applied immediately, Siemens recommends:
- Restrict web interface access to trusted IP addresses or management VLANs.
- Disable the web-based management interface if not strictly required.
- Follow the "Operational Guidelines for Industrial Security" provided by Siemens.
## Detection
- **Indicators of Compromise:** Monitor web server logs for unusual password change requests from low-privileged accounts.
- **Detection methods and tools:** Audit user accounts for unauthorized permission changes or unexpected password resets.
## References
- **Vendor Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/pdf/ssa-552702[.]pdf
- **Update Link:** hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/109813051/
- **General Advisories:** hxxps://www[.]siemens[.]com/cert/advisories