Full Report
Multiple vulnerabilities affecting various third-party components of SCALANCE W-700 IEEE 802.11ax devices before V2.0 could allow an attacker to cause a denial of service condition, disclose sensitive data or violate the system integrity. Siemens has released an update for SCALANCE W-700 IEEE 802.11ax and recommends to update to the latest version.
Analysis Summary
# Vulnerability: Third-Party Component Vulnerabilities in SCALANCE W-700 IEEE 802.11ax
## CVE Details
The following are representative high-impact CVEs from the advisory:
- **CVE-2021-42378**: CVSS 6.6 (Medium) | CWE-416 (Use After Free) - BusyBox awk applet
- **CVE-2021-42384**: CVSS 6.6 (Medium) | CWE-416 (Use After Free) - BusyBox awk applet
- **CVE-2021-42385**: CVSS 6.6 (Medium) | CWE-416 (Use After Free) - BusyBox awk
- **CVE-2021-42386**: CVSS 6.6 (Medium) | CWE-416 (Use After Free) - BusyBox awk
- **CVE-2022-23395**: CVSS 6.1 (Medium) | CWE-1321 (Prototype Pollution) - jQuery Cookie
- **Aggregate Advisory Score**: 8.1 (High)
## Affected Systems
- **Products**: SCALANCE W-700 IEEE 802.11ax family (Access Points and Client Modules)
- **Specific Models**:
- WAM763-1
- WAM766-1 (EU, US, and EEC variants)
- WUM763-1
- WUM766-1 (EU and US variants)
- **Versions**: All versions prior to V2.0
- **Configurations**: Devices operating in industrial WLAN environments (standard IEEE 802.11ax).
## Vulnerability Description
These devices utilize several third-party software components (including BusyBox and jQuery) that contain known security flaws.
- **BusyBox (awk applet)**: Multiple Use-After-Free vulnerabilities exist when processing specifically crafted `awk` patterns. These flaws occur in various functions such as `evaluate`, `handle_special`, and `nvalloc`.
- **jQuery Cookie**: A prototype pollution vulnerability in version 1.4.1 allows for the modification of object prototype attributes.
## Exploitation
- **Status**: PoC available (indicated by "E:P" in CVSS vectors).
- **Complexity**: Ranges from Low (jQuery) to High (BusyBox awk).
- **Attack Vector**: Network (for most components).
## Impact
- **Confidentiality**: High (Potential for sensitive data disclosure and code execution).
- **Integrity**: High (Violation of system integrity and DOM XSS).
- **Availability**: High (Denial of Service conditions via application crashes).
## Remediation
### Patches
Siemens recommends updating all affected SCALANCE W-700 devices to **V2.0 or later**.
- Firmware download: [https://support.industry.siemens.com/cs/ww/en/view/109815650/](https://support.industry.siemens.com/cs/ww/en/view/109815650/)
### Workarounds
No specific software workarounds are provided. General mitigations include:
- Protect network access with robust firewalls and segmentation.
- Operate devices strictly within protected IT/industrial environments.
- Follow Siemens' operational guidelines for Industrial Security.
## Detection
- **Indicators of Compromise**: Unexpected device reboots (DoS), unauthorized configuration changes, or unusual network traffic patterns originating from the BusyBox applets.
- **Detection Methods**: Use vulnerability scanners to identify firmware versions < V2.0. Monitor for exploit attempts targeting the `awk` applet or prototype pollution in web-based management interfaces.
## References
- **Vendor Advisory**: [https://cert-portal.siemens.com/productcert/html/ssa-565386.html](https://cert-portal.siemens.com/productcert/html/ssa-565386.html)
- **Siemens Industrial Security**: [https://www.siemens.com/industrialsecurity](https://www.siemens.com/industrialsecurity)
- **Operational Guidelines**: [https://www.siemens.com/cert/operational-guidelines-industrial-security](https://www.siemens.com/cert/operational-guidelines-industrial-security)