Full Report
SCALANCE W-700 IEEE 802.11ax family devices are affected by multiple vulnerabilities. Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in SCALANCE W-700 IEEE 802.11ax Devices (SSA-769027)
## CVE Details
*Note: The primary advisory header indicates multiple vulnerabilities, with a general CVSS score of 9.8 (v3.1) / 8.6 (v4.0). Specific CVEs and their details are extracted below, as the advisory groups them.*
| CVE ID | CVSS v3.1 Score / Severity | CVSS v4.0 Score | CWE |
| :--- | :--- | :--- | :--- |
| **CVE-2023-1670** | 7.8 (High) | N/A | CWE-416 (Use After Free) |
| **CVE-2023-2194** | 6.7 (Medium) | N/A | CWE-787 (Out-of-bounds Write) |
| **CVE-2023-3446** | 5.3 (Medium) | N/A | CWE-1333 (Inefficient RegEx Complexity) |
| **CVE-2023-3611** | 7.8 (High) | N/A | CWE-787 (Out-of-bounds Write) |
| **CVE-2023-4623** | 7.8 (High) | N/A | CWE-416 (Use After Free) |
| **CVE-2023-4921** | 7.8 (High) | N/A | CWE-416 (Use After Free) |
| **2024-50561** | 4.3 (Medium) | 5.1 (Medium) | CWE-79 (XSS) |
| **CVE-2024-50572** | 7.2 (High) | 8.6 (High) | CWE-74 (Injection) |
| **CVE-2025-24499** | 7.2 (High) | 7.5 (High) | CWE-20 (Improper Input Validation) |
| **CVE-2025-24532** | 4.3 (Medium) | 5.3 (Medium) | CWE-284 (Improper Access Control) |
| *Unknown CVE for DoS* | 7.1 (High) | N/A | CWE-125 (Out-of-bounds Read) |
## Affected Systems
- **Products:** SCALANCE W-700 IEEE 802.11ax family (including SCALANCE WAB762-1 (6GK5762-1AJ00-6AA0))
- **Versions:** Prior to V3.0.0
- **Configurations:** Vulnerabilities relate to underlying Linux kernel components (multiple CVEs) and specific device functions (e.g., configuration file loading, SNMPv3 View configuration). One vulnerability mentions a DoS condition related to oversized data in `WL_EXTRA_BUF_MAX`.
## Vulnerability Description
The advisory addresses multiple independent vulnerabilities affecting the firmware of the SCALANCE W-700 series devices. These include:
1. **Memory Corruption (Use-After-Free/Out-of-Bounds Write):** Several flaws stemming from the Linux kernel components (PCMCIA driver, SLIMpro I2C driver, and net/sched components like sch\_qfq and sch\_hfsc) could allow a local attacker to achieve privilege escalation or system crashes.
2. **Improper Input Validation/Injection:** Flaws related to input handling during file uploads, configuration loading, and web interface interaction, potentially leading to XSS, injection of commands, or arbitrary shell execution upon successful exploitation by an authenticated user.
3. **Denial of Service (DoS):** A condition exists where oversized required length data (`req_len`) in a specific buffer (`WL_EXTRA_BUF_MAX`) leads to DoS. Another DoS vector relates to overly long DH keys causing slow processing within OpenSSL functions.
4. **Improper Access Control:** A flaw in SNMPv3 View configuration allows a low-privileged user with `user` role to potentially alter View Types.
## Exploitation
- **Status:** Specific exploitation status for all 10+ vulnerabilities is not detailed, but CVE-2025-24499 and CVE-2025-24532 are marked with `E:P` (Exploit code publicly available) in the CVSS context, suggesting proof-of-concept or functional exploitation might exist for those specific types of flaws. The underlying kernel bugs (Use-After-Free, OOB Write) usually require local access or specific conditions.
- **Complexity:** Varies by CVE, generally **Low** to **Medium** for local privilege escalation flaws, and **Low** for network-based injection flaws assuming authentication is achieved.
- **Attack Vector:** **Network** (Injection, DoS via DH check, SNMP) or **Local** (Kernel memory corruption flaws).
## Impact
The aggregate impact of the combined vulnerabilities is severe:
- **Confidentiality:** **High** (Potential for reading arbitrary kernel memory or gaining system access).
- **Integrity:** **High** (Potential for arbitrary code execution, system command execution, and configuration modification).
- **Availability:** **High** (Potential for Denial of Service/system crashes due to buffer overflows or resource exhaustion).
## Remediation
### Patches
- **Action:** Update affected products to **V3.0.0 or a later version**.
- **Details:** Siemens recommends updating to the latest version available via the provided support link: hXXps://support.industry.siemens.com/cs/ww/en/view/109977720/
### Workarounds
The advisory does not explicitly list general workarounds beyond urging immediate patching, due to the severity and variety of flaws. For the OpenSSL DoS (CVE-2023-3446), the impact is mitigated if the OpenSSL SSL/TLS implementation is used without the DH key checking functions being called with untrusted input, but this is an incomplete mitigation.
## Detection
- **Indicators of Compromise:** Detection methods would depend heavily on the specific exploitation attempt (e.g., signs of unexpected process termination, unauthorized file modifications, or unusual network activity if a remote injection was successful). Analyzing system logs for kernel panics or unauthorized configuration changes on the W-700 device is recommended.
- **Detection Methods and Tools:** Full forensic investigation of the device firmware/OS layers would be necessary to detect exploitation of the underlying Linux kernel vulnerabilities. Network monitoring for anomalous data uploads or configuration access attempts may flag activity related to CVE-2024-50572 or CVE-2025-24499.
## References
- **Vendor Advisories:** SSA-769027 (Siemens)
- **Relevant Links:**
- Siemens Security Advisory Portal: hXXps://www.siemens.com/cert/advisories
- Siemens Support Link for Update: hXXps://support.industry.siemens.com/cs/ww/en/view/109977720/