Full Report
The SCALANCE W1750D devices contain multiple vulnerabilities that could allow an attacker to inject commands or exploit buffer overflow vulnerabilities which could lead to sensitive information disclosure, unauthenticated denial of service or unauthenticated remote code execution. Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Multiple Critical Vulnerabilities in Siemens SCALANCE W1750D (Command Injection, RCE, DoS)
## CVE Details
The advisory covers multiple CVEs. The summary provided focuses on the most critical known examples:
- **CVE ID (Examples):** CVE-2023-45614 through CVE-2023-45627 (Multiple IDs referenced)
* *Note: Specific details for each CVE were not fully enumerated in the summary, but the table references 14 specific CVEs.*
- **CVSS Score (Example for related RCE/Injection):** 9.8 (Critical) for the advisory overall minimum (implied by the context, though individual CVE scores vary). Key examples mentioned:
* **CVE-2023-45625 (RCE via Command Injection):** 9.8 (Critical) | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* **CVE-2023-45626 (Persistent RCE):** 7.2 (High) | CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
* **CVE-2023-45627 (Authenticated DoS):** 6.5 (Medium) | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
- **CWE (Examples):** CWE-77 (Command Injection), CWE-20 (Improper Input Validation)
## Affected Systems
- **Products:**
* SCALANCE W1750D (JP) (6GK5750-2HX01-1AD0)
* SCALANCE W1750D (ROW) (6GK5750-2HX01-1AA0)
* SCALANCE W1750D (USA) (6GK5750-2HX01-1AB0)
* *Note: This device is noted as being a brand-labeled device from Aruba.*
- **Versions:** All versions prior to **V8.10.0.9** for all listed product models.
- **Configurations:** Affects the underlying operating system commands and CLI services.
## Vulnerability Description
The SCALANCE W1750D devices suffer from multiple vulnerabilities, including but not limited to command injection flaws (CWE-77) and buffer overflows. Successful exploitation of the most severe flaws allows an unauthenticated remote attacker to execute arbitrary code with privileged user rights on the operating system, leading to potential unauthorized system takeover, sensitive information disclosure, or denial of service. Specific vulnerabilities listed include:
1. Unauthenticated remote code execution (RCE) via command injection, potentially leading to privileged execution.
2. Authenticated RCE leading to persistent arbitrary code execution across boot cycles.
3. Authenticated Denial-of-Service (DoS) due to improper input validation in the CLI service.
## Exploitation
- **Status:** Vulnerabilities are implied to be under active threat, as evidenced by the presence of Exploit Code Maturity (E-P) and Remediation Level (RL-O) parameters in the CVSS vectors, suggesting Proof-of-Concept (PoC) or active exploitation may be known or feasible. The advisory summary context indicates potential for unauthenticated RCE.
- **Complexity:** Several high-impact vulnerabilities (including the 9.8 score example) appear to have **Low** Attack Complexity (AC:L) and require **No Privilege (PR:N)** or **Low Privilege (PR:L)** access.
- **Attack Vector:** **Network (AV:N)**
## Impact
- **Confidentiality:** High (Sensitive information disclosure possible via RCE)
- **Integrity:** High (Arbitrary code execution possible)
- **Availability:** High (Denial of Service possible)
## Remediation
### Patches
- Update to **V8.10.0.9** or a later version for all affected SCALANCE W1750D models.
- **Availability Note:** The update is explicitly stated to be **available upon request from customer support.**
### Workarounds
- The advisory recommends further review of the "Workarounds and Mitigations" section within the original Siemens advisory for temporary steps until patching can be fully implemented. (Specific details deferred to external documentation).
## Detection
- **Indicators of Compromise:** Look for unexpected command execution attempts against management interfaces or unusual privileged process activity originating from the SCALANCE W1750D.
- **Detection Methods and Tools:** Network traffic monitoring for unusual command injection payloads targeted at the device's administrative ports/services. Utilize endpoint detection where possible, though industrial device visibility may be limited.
## References
- **Vendor Advisories:**
* Siemens Security Advisory: SSA-716164 (Publication Date: 2024-02-13; Last Update: 2024-04-09)
* Related Aruba Security Advisory: ARUBA-PSA-2023-017 (Link excluded for security best practices, refer to advisory SSA-716164 for details if required)
* Siemens ProductCERT Advisories Portal: hxxps://www.siemens.com/cert/advisories