Show vulnerabilities with patch / with exploit

Multiple vulnerabilities in Siemens SCALANCE W1750D, M800 and S615



Published: 2017-11-29
Severity High
Patch available YES
Number of vulnerabilities 4
CVE ID CVE-2017-13704
CVE-2017-14495
CVE-2017-14496
CVE-2017-14491
CWE ID CWE-119
CWE-400
CWE-122
Exploitation vector Network
Public exploit Public exploit code for vulnerability #2 is available.
Public exploit code for vulnerability #3 is available.
Public exploit code for vulnerability #4 is available.
Vulnerable software
Subscribe
SCALANCE S615
Hardware solutions / Firmware

SCALANCE M800
Hardware solutions / Firmware

SCALANCE W1750D
Hardware solutions / Firmware

Vendor Siemens

Security Advisory

1) Memory corruption

Severity: Medium

CVSSv3: 7.5 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C] [PCI]

CVE-ID: CVE-2017-13704

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to boundary error in  when processing DNS queries longer than 512 bytes or EDNS0 packet size is different. A remote unauthenticated attacker can send a specially crafted DNS request to the affected service and trigger the application crash.

Successful exploitation of this vulnerability may allow an attacker to perform a denial of service (DoS) attack.

Mitigation

Siemens is preparing updates for the affected products and recommends the following mitigations until patches are available: • For SCALANCE W1750D: Customers who do not use the “OpenDNS”, “Captive Portal” or “URL redirection” functionality, can deploy firewall rules in the device configuration to block incoming access to port 53/UDP. • For SCALANCE M800/S615: Disable DNS proxy in the device configuration (System - DNS - DNS Proxy - Disable Checkbox „Enable DNS Proxy“), and configure the connected devices in the internal network to use a different DNS server. • Apply Defense-in-Depth [1]

Vulnerable software versions

SCALANCE S615: -

SCALANCE M800: -

SCALANCE W1750D: -

CPE External links

https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-689071.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Memory exhaustion

Severity: Medium

CVSSv3: 7.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C] [PCI]

CVE-ID: CVE-2017-14495

CWE-ID: CWE-400 - Uncontrolled Resource Consumption ('Resource Exhaustion')

Exploit availability: Yes [Search exploit]

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to incorrect memory allocation (memory is never freed) in  add_pseudoheader() function when processing DNS queries. A remote unauthenticated attacker can send a specially crafted DNS request to the affected service and cause dnsmasq to consume all available memory.

Successful exploitation of this vulnerability may allow an attacker to perform a denial of service (DoS) attack, but requires that dnsmasq is compiled with --add-mac, --add-cpe-id or --add-subnet option.

Mitigation

Siemens is preparing updates for the affected products and recommends the following mitigations until patches are available: • For SCALANCE W1750D: Customers who do not use the “OpenDNS”, “Captive Portal” or “URL redirection” functionality, can deploy firewall rules in the device configuration to block incoming access to port 53/UDP. • For SCALANCE M800/S615: Disable DNS proxy in the device configuration (System - DNS - DNS Proxy - Disable Checkbox „Enable DNS Proxy“), and configure the connected devices in the internal network to use a different DNS server. • Apply Defense-in-Depth [1]

Vulnerable software versions

SCALANCE S615: -

SCALANCE M800: -

SCALANCE W1750D: -

CPE External links

https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-689071.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

3) Memory corruption

Severity: Medium

CVSSv3: 7.7 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H/E:P/RL:O/RC:C] [PCI]

CVE-ID: CVE-2017-14496

CWE-ID: CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

Exploit availability: Yes [Search exploit]

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to boundary error in  add_pseudoheader() function when processing DNS queries. A remote unauthenticated attacker can send a specially crafted DNS request to the affected service, cause dnsmasq to call memcpy with negative size and crash.

Successful exploitation of this vulnerability may allow an attacker to perform a denial of service (DoS) attack, but requires that dnsmasq is compiled with --add-mac, --add-cpe-id or --add-subnet option.

Mitigation

Siemens is preparing updates for the affected products and recommends the following mitigations until patches are available: • For SCALANCE W1750D: Customers who do not use the “OpenDNS”, “Captive Portal” or “URL redirection” functionality, can deploy firewall rules in the device configuration to block incoming access to port 53/UDP. • For SCALANCE M800/S615: Disable DNS proxy in the device configuration (System - DNS - DNS Proxy - Disable Checkbox „Enable DNS Proxy“), and configure the connected devices in the internal network to use a different DNS server. • Apply Defense-in-Depth [1]

Vulnerable software versions

SCALANCE S615: -

SCALANCE M800: -

SCALANCE W1750D: -

CPE External links

https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-689071.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.

4) Heap-based buffer overflow

Severity: High

CVSSv3: 9 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:P/RL:O/RC:C] [PCI]

CVE-ID: CVE-2017-14491

CWE-ID: CWE-122 - Heap-based Buffer Overflow

Exploit availability: Yes [Search exploit]

Description

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to boundary error in dnsmasq.c file when processing DNS replies. A remote unauthenticated attacker can send specially crafted DNS packets to the affected service, trigger heap-based buffer overflow by 2 bytes and crash the service or execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Mitigation

Siemens is preparing updates for the affected products and recommends the following mitigations until patches are available: • For SCALANCE W1750D: Customers who do not use the “OpenDNS”, “Captive Portal” or “URL redirection” functionality, can deploy firewall rules in the device configuration to block incoming access to port 53/UDP. • For SCALANCE M800/S615: Disable DNS proxy in the device configuration (System - DNS - DNS Proxy - Disable Checkbox „Enable DNS Proxy“), and configure the connected devices in the internal network to use a different DNS server. • Apply Defense-in-Depth [1]

Vulnerable software versions

SCALANCE S615: -

SCALANCE M800: -

SCALANCE W1750D: -

CPE External links

https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-689071.pdf

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.