Full Report
The products listed below contain a denial of service vulnerability in the TCP event interface that could allow an unauthenticated remote attacker to render the device unusable. Siemens has released updates for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Denial of Service in Siemens SCALANCE and RUGGEDCOM TCP Event Service
## CVE Details
- **CVE ID:** CVE-2022-31766
- **CVSS Score:** 8.6 (High)
- **CWE:** CWE-20: Improper Input Validation
## Affected Systems
- **Products:**
- SCALANCE M-800 family (including S615, MUM-800, RM1224, S615 EEC, and M876-4)
- RUGGEDCOM RM1224 family
- SCALANCE W-700 IEEE 802.11ax/802.11n families
- SCALANCE W-1700 family
- SCALANCE X switches
- **Versions:**
- SCALANCE M-800 / RUGGEDCOM RM1224: Versions prior to V7.1.2
- SCALANCE W-700 (IEEE 802.11ax family): Versions prior to V3.0.0
- **Configurations:** Systems are only vulnerable if the **TCP Event feature** is enabled (it is disabled by default).
## Vulnerability Description
Affected devices fail to properly validate input when handling packets directed at the TCP Event interface. An unauthenticated remote attacker can send specifically crafted malformed packets to the service, triggering a system crash or spontaneous reboot. Because these devices are industrial routers and switches, a reboot results in a Denial of Service (DoS) for all connected network resources.
## Exploitation
- **Status:** PoC available (indicated by CVSS "E:P" / Proof-of-Concept)
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** High (Device rendered unusable/rebooted)
## Remediation
### Patches
Siemens recommends updating affected products to the following versions or later:
- **SCALANCE M-800 / RUGGEDCOM RM1224:** Update to **V7.1.2**
- **SCALANCE W-700 (802.11ax family):** Update to **V3.0.0**
### Workarounds
- **Deactivate the TCP Event feature:** This feature is not active by default; ensure it remains disabled if not required for operations.
- **Access Control:** Restrict access to the TCP Event Service port (default **26864/tcp**) to trusted internal networks and specific client IP addresses only.
- **General Mitigation:** Segment networks to ensure that industrial components (PLCs/HMIs) are not exposed to untrusted traffic.
## Detection
- **Indicators of Compromise:** Unexpected/repetitive device reboots; service interruptions associated with traffic on port 26864/tcp.
- **Detection Methods:** Monitor network traffic for malformed packets targeting port 26864. Use IDS/IPS signatures to alert on unauthorized connection attempts to the TCP Event Service port.
## References
- **Vendor Advisory:** SSA-697140
- **Advisory Link:** hxxps://cert-portal[.]siemens[.]com/productcert/pdf/ssa-697140[.]pdf
- **Software Updates:** hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/109813051/
- **Industrial Security Guidelines:** hxxps://www[.]siemens[.]com/cert/operational-guidelines-industrial-security