Full Report
The SCALANCE W1750D devices contain multiple vulnerabilities that could allow an attacker to exploit buffer overflow and information disclosure vulnerabilities which could lead to information disclosure or unauthenticated remote code execution. Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Multiple Critical Vulnerabilities in Siemens SCALANCE W1750D Leading to RCE
## CVE Details
- CVE ID: CVE-2023-35980, CVE-2023-35981, CVE-2023-35982 (Note: All listed CVEs in the advisory share the same critical score)
- CVSS Score: 9.8 (Critical)
- CWE: CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') (Observed for CVE-2023-35980 and CVE-2023-35982)
## Affected Systems
- Products: SCALANCE W1750D (JP) (6GK5750-2HX01-1AD0), SCALANCE W1750D (ROW) (6GK5750-2HX01-1AA0), SCALANCE W1750D (USA) (6GK5750-2HX01-1AB0)
- Versions: All versions prior to V8.10.0.9.
- Configurations: N/A (Vulnerabilities appear to affect the base product installation). The device is noted to be a rebranded Aruba product.
## Vulnerability Description
Multiple vulnerabilities exist within underlying services of the SCALANCE W1750D which include buffer overflows and information disclosure flaws. Specifically, buffer overflow vulnerabilities in multiple services allow an unauthenticated remote attacker to execute arbitrary code as a privileged user by sending specially crafted packets destined to the PAPI (Aruba's access point management protocol) UDP port (8211).
## Exploitation
- Status: Information suggests a high risk; technical details point to unauthenticated remote code execution. (Specific PoC availability not confirmed in this summary, but the nature of the flaw suggests exploitability is likely).
- Complexity: Low (Indicated by CVSS vector: AC:L, PR:N, UI:N)
- Attack Vector: Network (AV:N)
## Impact
- Confidentiality: High (H)
- Integrity: High (H)
- Availability: High (H)
## Remediation
### Patches
- Update all affected SCALANCE W1750D variants (JP, ROW, USA) to **V8.10.0.9 or a later version**.
- The update is available upon request from customer support.
### Workarounds
1. **Network Segmentation:** Restrict access to the Command Line Interface (CLI) and web-based management interfaces to a dedicated Layer 2 segment/VLAN or control access via firewall policies at Layer 3 and above.
2. **Security Enforcement:** Enable cluster-security using the `cluster-security` command.
## Detection
- Indicators of Compromise (IOCs): Monitoring for unusual traffic directed towards the PAPI UDP port (8211) containing malformed or oversized packets.
- Detection methods and tools: Network Intrusion Detection Systems (NIDS) monitoring unusual traffic patterns on UDP 8211. Utilize vendor-specific security guidance for further recommendations.
## References
- Vendor Advisories: SSA-885980 (Siemens)
- Related Aruba Advisory: ARUBA-PSA-2023-009 (link defanged: hxxps://www.arubanetworks.com/assets/alert/ARUBA-PSA-2023-009.txt)
- General Security Guidelines: hxxps://www.siemens.com/cert/operational-guidelines-industrial-security
- Siemens ProductCERT Contact: hxxps://www.siemens.com/cert/advisories