Full Report
SCALANCE devices contain multiple vulnerabilities in MSPS based product lines that could allow authenticated remote attackers to execute custom code or create a XSS situation, as well as unauthenticated remote attackers to create a denial of service condition. Siemens has released updates for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for products where updates are not, or not yet available.
Analysis Summary
# Vulnerability: Multiple Web Vulnerabilities in SCALANCE Products
## CVE Details
- **CVE ID:** CVE-2022-36323, CVE-2022-36324, CVE-2022-36325
- **CVSS Score:** 9.1 (Critical), 7.5 (High), 6.8 (Medium)
- **CWE:**
- CWE-74: Improper Neutralization of Special Elements ('Injection')
- CWE-770: Allocation of Resources Without Limits or Throttling
- CWE-80: Improper Neutralization of Script-Related HTML Tags ('XSS')
## Affected Systems
- **Products:**
- RUGGEDCOM RM1224 LTE (EU/NAM)
- SCALANCE M804PB, M812-1, M816-1, M826-2
- SCALANCE M874-2, M874-3, M876-3
- SIPLUS extreme counterparts (devices based on the above hardware)
- **Versions:** All versions prior to V7.1.2
- **Configurations:** Web-based management interface enabled.
## Vulnerability Description
The SCALANCE MSPS-based product lines contain three distinct flaws:
1. **Command Injection (CVE-2022-36323):** Failure to sanitize an input field allows an authenticated administrator to inject commands or spawn a system root shell.
2. **Resource Exhaustion DoS (CVE-2022-36324):** Improper handling of SSL/TLS renegotiation allows an unauthenticated attacker to bypass TCP brute force protections, causing a Denial of Service.
3. **DOM-based XSS (CVE-2022-36325):** Improper sanitization of user-provided data during web interface rendering allows authenticated administrators to execute malicious scripts via Cross-Site Scripting.
## Exploitation
- **Status:** PoC Available (indicated by "E:P" in CVSS vectors)
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** High (Full system access via root shell)
- **Integrity:** High (Code execution and data modification)
- **Availability:** High (Device lockup/DoS and system-level crashes)
## Remediation
### Patches
- **Update to V7.1.2 or later:** Applicable to all listed SCALANCE and RUGGEDCOM RM1224 models.
### Workarounds
- **Restrict Access:** Limit access to the device's web interface to trusted IP addresses or management networks only.
- **Disable Web Services:** If the web interface is not required for daily operations, disable HTTP/HTTPS services.
- **VLAN Isolation:** Place management interfaces in a dedicated VLAN without internet access.
## Detection
- **Indicators of Compromise:**
- Excessive SSL/TLS handshake requests in logs (renegotiation attacks).
- Presence of unauthorized system configuration changes or unrecognized scripts in the web UI.
- Unexpected creation of system-level shells or processes.
- **Detection methods and tools:**
- Monitor network traffic for repeated TLS renegotiation attempts.
- Audit administrative logs for unusual input patterns in web-based configuration fields.
## References
- **Vendor advisories:** SSA-710008
- **Relevant links:**
- hxxps://cert-portal.siemens[.]com/productcert/pdf/ssa-710008.pdf
- hxxps://support.industry.siemens[.]com/cs/ww/en/view/109813051/
- hxxps://nvd.nist[.]gov/vuln/detail/CVE-2022-36323