Full Report
The SCALANCE W1750D device contains multiple vulnerabilities that could allow an attacker to inject commands or exploit buffer overflow vulnerabilities which could lead to sensitive information disclosure, unauthenticated denial of service or unauthenticated remote code execution. Siemens has released updates for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Multiple Critical Flaws in SCALANCE W1750D (Aruba-based)
## CVE Details
This advisory covers several vulnerabilities. Key examples include:
- **CVE-2023-22779 / CVE-2023-22780**: CVSS **9.8** (Critical) | CWE-120 (Classic Buffer Overflow)
- **CVE-2023-22790**: CVSS **7.2** (High) | CWE-77 (Command Injection)
- **CVE-2023-22791**: CVSS **5.4** (Medium) | CWE-200 (Information Exposure)
## Affected Systems
- **Products**: SCALANCE W1750D Access Points (JP, ROW, and USA variants)
- **Versions**: All versions prior to **V8.10.0.6**
- **Configurations**: Devices using Aruba InstantOS/ArubaOS 10; specifically those with the PAPI management protocol or CLI enabled.
## Vulnerability Description
The SCALANCE W1750D (a brand-labeled version of Aruba hardware) contains multiple security flaws:
1. **Buffer Overflows**: Multiple services fail to check input sizes on the PAPI (Aruba management protocol) UDP port 8211. This allows an unauthenticated attacker to execute code as a privileged user via crafted packets.
2. **Command Injection**: Authenticated users with access to the Command Line Interface (CLI) can inject arbitrary commands into the underlying operating system.
3. **Information Disclosure**: Specific edge-case WLAN configurations and environments may allow an attacker with valid credentials to intercept sensitive information.
## Exploitation
- **Status**: **PoC available** (indicated by CVSS "E:P" / Proof-of-Concept exploit code maturity).
- **Complexity**: Low (for most critical buffer overflows); High (for information disclosure CVE-2023-22791).
- **Attack Vector**: Network (Remote) / Adjacent (for WLAN-specific flaws).
## Impact
- **Confidentiality**: High (Full system access and sensitive info disclosure)
- **Integrity**: High (Ability to execute arbitrary commands/code)
- **Availability**: High (Unauthenticated Denial of Service)
## Remediation
### Patches
- **Update to V8.10.0.6 or later.**
- Updates are available upon request from Siemens Customer Support.
### Workarounds
- **Enable Cluster Security**: Use the `cluster-security` command to mitigate CVE-2023-22779 through CVE-2023-22786.
- **Port Blocking**: Specifically block access to port **UDP/8211** from untrusted networks to mitigate PAPI-related overflows (CVE-2023-22787).
- **Network Segmentation**: Restrict CLI and Web-based management interfaces to a dedicated Layer 2 segment or VLAN, enforced by Layer 3 firewall policies.
## Detection
- **Indicators of Compromise**: Monitor for unexpected traffic on UDP port 8211.
- **Detection Methods**: Audit CLI logs for unusual command execution by privileged accounts. Use network scanning tools to verify if PAPI ports are exposed to untrusted segments.
## References
- **Siemens Advisory**: hxxps://cert-portal.siemens[.]com/productcert/html/ssa-843070.html
- **Aruba Advisory**: hxxps://www.arubanetworks[.]com/assets/alert/ARUBA-PSA-2023-006.txt
- **Operational Guidelines**: hxxps://www.siemens[.]com/cert/operational-guidelines-industrial-security