Full Report
The SCALANCE W700 devices are affected by Wi-Fi encryption bypass vulnerabilities (“Framing Frames”) that could allow an attacker to disclose sensitive information, to steal the victims session or to execute denial-of-service attacks. Siemens recommends countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Wi-Fi Encryption Bypass ("Framing Frames") in SCALANCE W700
## CVE Details
* **CVE ID:** CVE-2024-30191 (Primary High Severity), CVE-2024-30189, CVE-2024-30190
* **CVSS Score:** 8.4 (High) for CVE-2024-30191; 6.1 (Medium) for others.
* **CVSS Vector:** CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
* **CWE:** CWE-290: Authentication Bypass by Spoofing
## Affected Systems
* **Products:** SCALANCE W700 Product Family, including:
* W721-1 RJ45
* W722-1 RJ45
* W734-1 RJ45
* **Versions:** All versions of the listed hardware models are affected.
* **Configurations:** Devices operating in Wi-Fi (IEEE 802.11) environments where encryption is utilized.
## Vulnerability Description
The "Framing Frames" vulnerability involves flaws in how Wi-Fi devices manage the security context of queued frames. Attackers can exploit the 802.11 power-saving mechanism and security context handling to bypass encryption:
* **CVE-2024-30189:** Manipulation of the transmit queue allows frames to be sent without encryption or with an override key, leading to information disclosure.
* **CVE-2024-30190:** Abuse of power-saving queues to trigger network disruptions and DoS.
* **CVE-2024-30191:** Overriding a victim client's security context by associating an attacker-controlled key with the victim's frames, allowing full decryption and manipulation.
## Exploitation
* **Status:** PoC available (detailed in the "Framing Frames" research paper by Mathy Vanhoef). No confirmed exploitation in the wild at the time of the advisory.
* **Complexity:** Low
* **Attack Vector:** Adjacent (Attacker must be within radio range/physical proximity of the Wi-Fi network). Requires some user interaction (UI:R).
## Impact
* **Confidentiality:** High (Sensitive data disclosure/frame decryption)
* **Integrity:** High (Session hijacking/message manipulation)
* **Availability:** High (Denial-of-Service/client disconnection)
## Remediation
### Patches
* **Currently no fix is planned** for the SCALANCE W700 models listed in the advisory. Users are advised to transition to newer hardware or implement the workarounds below.
### Workarounds
* **Network Layer Encryption:** Use higher-layer security protocols such as VPNs, TLS, or SSH to protect data integrity and confidentiality independently of the Wi-Fi encryption.
* **MAC Filtering:** While not foolproof, restrict access to known hardware.
* **VLAN Separation:** Segment the wireless network to minimize the potential "blast radius" of a session hijack.
## Detection
* **Indicators of Compromise:** Unusual patterns of client disconnections, unexpected power-save mode transitions, or unauthorized MAC addresses attempting to negotiate security contexts.
* **Detection methods:** Use Wireless Intrusion Detection Systems (WIDS) to monitor for 802.11 management frame anomalies and unauthorized de-authentication packets.
## References
* Siemens Security Advisory SSA-457702: hxxps://cert-portal[.]siemens[.]com/productcert/pdf/ssa-457702.pdf
* "Framing Frames" Research Paper: hxxps://papers[.]mathyvanhoef[.]com/usenix2023-wifi[.]pdf
* Siemens ProductCERT: hxxps://www[.]siemens[.]com/cert/advisories