Multiple vulnerabilities in Siemens SCALANCE W-700 IEEE 802.11ax devices



Published: 2023-03-17
Risk Medium
Patch available YES
Number of vulnerabilities 17
CVE-ID CVE-2021-42379
CVE-2022-23395
CVE-2021-42386
CVE-2021-42385
CVE-2021-42384
CVE-2021-42383
CVE-2021-42382
CVE-2021-42381
CVE-2021-42380
CVE-2021-42378
CVE-2021-42377
CVE-2021-42376
CVE-2021-42375
CVE-2021-42374
CVE-2021-42373
CVE-2018-25032
CVE-2018-12886
CWE-ID CWE-416
CWE-79
CWE-763
CWE-476
CWE-20
CWE-125
CWE-119
CWE-209
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
SCALANCE WUM766-1 (US)
Hardware solutions / Routers & switches, VoIP, GSM, etc

SCALANCE WUM766-1 (EU)
Hardware solutions / Routers & switches, VoIP, GSM, etc

SCALANCE WUM763-1
Hardware solutions / Routers & switches, VoIP, GSM, etc

SCALANCE WAM766-1 EEC (US)
Hardware solutions / Routers & switches, VoIP, GSM, etc

SCALANCE WAM766-1 EEC (EU)
Hardware solutions / Routers & switches, VoIP, GSM, etc

SCALANCE WAM766-1 (US)
Hardware solutions / Routers & switches, VoIP, GSM, etc

SCALANCE WAM766-1 (EU)
Hardware solutions / Routers & switches, VoIP, GSM, etc

SCALANCE WAM763-1
Hardware solutions / Routers & switches, VoIP, GSM, etc

Vendor Siemens

Security Bulletin

This security bulletin contains information about 17 vulnerabilities.

1) Use-after-free

EUVDB-ID: #VU58692

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-42379

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote user to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in the "next_input_file" function. A remote administrator can execute arbitrary code on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SCALANCE WUM766-1 (US): before 2.0

SCALANCE WUM766-1 (EU): before 2.0

SCALANCE WUM763-1: before 2.0

SCALANCE WAM766-1 EEC (US): before 2.0

SCALANCE WAM766-1 EEC (EU): before 2.0

SCALANCE WAM766-1 (US): before 2.0

SCALANCE WAM766-1 (EU): before 2.0

SCALANCE WAM763-1: before 2.0

Fixed software versions

CPE2.3 External links

http://cert-portal.siemens.com/productcert/txt/ssa-565386.txt


Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

2) Cross-site scripting

EUVDB-ID: #VU73786

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2022-23395

CWE-ID:

Exploit availability:

Description

The disclosed vulnerability allows a remote attacker to perform cross-site scripting (XSS) attacks.

The vulnerability exists due to insufficient sanitization of user-supplied data. A remote attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user's browser in context of vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SCALANCE WUM766-1 (US): before 2.0

SCALANCE WUM766-1 (EU): before 2.0

SCALANCE WUM763-1: before 2.0

SCALANCE WAM766-1 EEC (US): before 2.0

SCALANCE WAM766-1 EEC (EU): before 2.0

SCALANCE WAM766-1 (US): before 2.0

SCALANCE WAM766-1 (EU): before 2.0

SCALANCE WAM763-1: before 2.0

Fixed software versions

CPE2.3 External links

http://cert-portal.siemens.com/productcert/txt/ssa-565386.txt


Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

3) Use-after-free

EUVDB-ID: #VU58678

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-42386

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote user to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in the "nvalloc" function. A remote administrator can execute arbitrary code on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SCALANCE WUM766-1 (US): before 2.0

SCALANCE WUM766-1 (EU): before 2.0

SCALANCE WUM763-1: before 2.0

SCALANCE WAM766-1 EEC (US): before 2.0

SCALANCE WAM766-1 EEC (EU): before 2.0

SCALANCE WAM766-1 (US): before 2.0

SCALANCE WAM766-1 (EU): before 2.0

SCALANCE WAM763-1: before 2.0

Fixed software versions

CPE2.3 External links

http://cert-portal.siemens.com/productcert/txt/ssa-565386.txt


Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

4) Use-after-free

EUVDB-ID: #VU58683

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-42385

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote user to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in the "evaluate" function. A remote administrator can execute arbitrary code on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SCALANCE WUM766-1 (US): before 2.0

SCALANCE WUM766-1 (EU): before 2.0

SCALANCE WUM763-1: before 2.0

SCALANCE WAM766-1 EEC (US): before 2.0

SCALANCE WAM766-1 EEC (EU): before 2.0

SCALANCE WAM766-1 (US): before 2.0

SCALANCE WAM766-1 (EU): before 2.0

SCALANCE WAM763-1: before 2.0

Fixed software versions

CPE2.3 External links

http://cert-portal.siemens.com/productcert/txt/ssa-565386.txt


Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

5) Use-after-free

EUVDB-ID: #VU58685

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-42384

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote user to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in the "handle_special" function. A remote administrator can execute arbitrary code on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SCALANCE WUM766-1 (US): before 2.0

SCALANCE WUM766-1 (EU): before 2.0

SCALANCE WUM763-1: before 2.0

SCALANCE WAM766-1 EEC (US): before 2.0

SCALANCE WAM766-1 EEC (EU): before 2.0

SCALANCE WAM766-1 (US): before 2.0

SCALANCE WAM766-1 (EU): before 2.0

SCALANCE WAM763-1: before 2.0

Fixed software versions

CPE2.3 External links

http://cert-portal.siemens.com/productcert/txt/ssa-565386.txt


Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

6) Use-after-free

EUVDB-ID: #VU69654

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-42383

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote user to compromise vulnerable system.

The vulnerability exists due to a use-after-free error within the awk applet. A remote privileged user can pass a specially crafted input to the application, trigger a use-after-free error and execute arbitrary code.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SCALANCE WUM766-1 (US): before 2.0

SCALANCE WUM766-1 (EU): before 2.0

SCALANCE WUM763-1: before 2.0

SCALANCE WAM766-1 EEC (US): before 2.0

SCALANCE WAM766-1 EEC (EU): before 2.0

SCALANCE WAM766-1 (US): before 2.0

SCALANCE WAM766-1 (EU): before 2.0

SCALANCE WAM763-1: before 2.0

Fixed software versions

CPE2.3 External links

http://cert-portal.siemens.com/productcert/txt/ssa-565386.txt


Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

7) Use-after-free

EUVDB-ID: #VU58684

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-42382

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote user to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in the "getvar_s" function. A remote administrator can execute arbitrary code on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SCALANCE WUM766-1 (US): before 2.0

SCALANCE WUM766-1 (EU): before 2.0

SCALANCE WUM763-1: before 2.0

SCALANCE WAM766-1 EEC (US): before 2.0

SCALANCE WAM766-1 EEC (EU): before 2.0

SCALANCE WAM766-1 (US): before 2.0

SCALANCE WAM766-1 (EU): before 2.0

SCALANCE WAM763-1: before 2.0

Fixed software versions

CPE2.3 External links

http://cert-portal.siemens.com/productcert/txt/ssa-565386.txt


Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

8) Use-after-free

EUVDB-ID: #VU58673

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-42381

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote user to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in the "hash_init" function. A remote administrator can execute arbitrary code on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SCALANCE WUM766-1 (US): before 2.0

SCALANCE WUM766-1 (EU): before 2.0

SCALANCE WUM763-1: before 2.0

SCALANCE WAM766-1 EEC (US): before 2.0

SCALANCE WAM766-1 EEC (EU): before 2.0

SCALANCE WAM766-1 (US): before 2.0

SCALANCE WAM766-1 (EU): before 2.0

SCALANCE WAM763-1: before 2.0

Fixed software versions

CPE2.3 External links

http://cert-portal.siemens.com/productcert/txt/ssa-565386.txt


Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

9) Use-after-free

EUVDB-ID: #VU58694

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-42380

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote user to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in the "next_input_file" function. A remote administrator can execute arbitrary code on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SCALANCE WUM766-1 (US): before 2.0

SCALANCE WUM766-1 (EU): before 2.0

SCALANCE WUM763-1: before 2.0

SCALANCE WAM766-1 EEC (US): before 2.0

SCALANCE WAM766-1 EEC (EU): before 2.0

SCALANCE WAM766-1 (US): before 2.0

SCALANCE WAM766-1 (EU): before 2.0

SCALANCE WAM763-1: before 2.0

Fixed software versions

CPE2.3 External links

http://cert-portal.siemens.com/productcert/txt/ssa-565386.txt


Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

10) Use-after-free

EUVDB-ID: #VU58680

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-42378

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote user to compromise vulnerable system.

The vulnerability exists due to a use-after-free error in the "getvar_i" function. A remote administrator can execute arbitrary code on the target system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SCALANCE WUM766-1 (US): before 2.0

SCALANCE WUM766-1 (EU): before 2.0

SCALANCE WUM763-1: before 2.0

SCALANCE WAM766-1 EEC (US): before 2.0

SCALANCE WAM766-1 EEC (EU): before 2.0

SCALANCE WAM766-1 (US): before 2.0

SCALANCE WAM766-1 (EU): before 2.0

SCALANCE WAM763-1: before 2.0

Fixed software versions

CPE2.3 External links

http://cert-portal.siemens.com/productcert/txt/ssa-565386.txt


Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

11) Release of invalid pointer or reference

EUVDB-ID: #VU69653

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-42377

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker execute arbitrary code on the system.

The vulnerability exists due to improper input validation within the hush applet. A remote attacker can pass a specially crafted input to the application and potentially execute arbitrary shell commands.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SCALANCE WUM766-1 (US): before 2.0

SCALANCE WUM766-1 (EU): before 2.0

SCALANCE WUM763-1: before 2.0

SCALANCE WAM766-1 EEC (US): before 2.0

SCALANCE WAM766-1 EEC (EU): before 2.0

SCALANCE WAM766-1 (US): before 2.0

SCALANCE WAM766-1 (EU): before 2.0

SCALANCE WAM763-1: before 2.0

Fixed software versions

CPE2.3 External links

http://cert-portal.siemens.com/productcert/txt/ssa-565386.txt


Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

12) NULL pointer dereference

EUVDB-ID: #VU59877

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-42376

CWE-ID:

Exploit availability:

Description

The vulnerability allows a local user to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error in Busybox's hush applet when processing a crafted shell command with a \x03 delimiter character. A local user can pass specially crafted string to the affected applet and crash the application.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SCALANCE WUM766-1 (US): before 2.0

SCALANCE WUM766-1 (EU): before 2.0

SCALANCE WUM763-1: before 2.0

SCALANCE WAM766-1 EEC (US): before 2.0

SCALANCE WAM766-1 EEC (EU): before 2.0

SCALANCE WAM766-1 (US): before 2.0

SCALANCE WAM766-1 (EU): before 2.0

SCALANCE WAM763-1: before 2.0

Fixed software versions

CPE2.3 External links

http://cert-portal.siemens.com/productcert/txt/ssa-565386.txt


Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

13) Input validation error

EUVDB-ID: #VU69652

Risk: Low

CVSSv3.1:

CVE-ID: CVE-2021-42375

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input within the ash applet. A remote user can pass specially crafted input to the application and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SCALANCE WUM766-1 (US): before 2.0

SCALANCE WUM766-1 (EU): before 2.0

SCALANCE WUM763-1: before 2.0

SCALANCE WAM766-1 EEC (US): before 2.0

SCALANCE WAM766-1 EEC (EU): before 2.0

SCALANCE WAM766-1 (US): before 2.0

SCALANCE WAM766-1 (EU): before 2.0

SCALANCE WAM763-1: before 2.0

Fixed software versions

CPE2.3 External links

http://cert-portal.siemens.com/productcert/txt/ssa-565386.txt


Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

14) Out-of-bounds read

EUVDB-ID: #VU58670

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-42374

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to a boundary condition in "unlzma". A remote attacker can trigger out-of-bounds read error and read contents of memory on the system or perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SCALANCE WUM766-1 (US): before 2.0

SCALANCE WUM766-1 (EU): before 2.0

SCALANCE WUM763-1: before 2.0

SCALANCE WAM766-1 EEC (US): before 2.0

SCALANCE WAM766-1 EEC (EU): before 2.0

SCALANCE WAM766-1 (US): before 2.0

SCALANCE WAM766-1 (EU): before 2.0

SCALANCE WAM763-1: before 2.0

Fixed software versions

CPE2.3 External links

http://cert-portal.siemens.com/productcert/txt/ssa-565386.txt


Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

15) NULL pointer dereference

EUVDB-ID: #VU69651

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2021-42373

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a NULL pointer dereference error within the man applet when a section name is supplied but no page argument is given. A remote attacker can pass specially crafted data to the application and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SCALANCE WUM766-1 (US): before 2.0

SCALANCE WUM766-1 (EU): before 2.0

SCALANCE WUM763-1: before 2.0

SCALANCE WAM766-1 EEC (US): before 2.0

SCALANCE WAM766-1 EEC (EU): before 2.0

SCALANCE WAM766-1 (US): before 2.0

SCALANCE WAM766-1 (EU): before 2.0

SCALANCE WAM763-1: before 2.0

Fixed software versions

CPE2.3 External links

http://cert-portal.siemens.com/productcert/txt/ssa-565386.txt


Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

16) Buffer overflow

EUVDB-ID: #VU61671

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2018-25032

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input when compressing data. A remote attacker can pass specially crafted input to the application, trigger memory corruption and perform a denial of service (DoS) attack.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SCALANCE WUM766-1 (US): before 2.0

SCALANCE WUM766-1 (EU): before 2.0

SCALANCE WUM763-1: before 2.0

SCALANCE WAM766-1 EEC (US): before 2.0

SCALANCE WAM766-1 EEC (EU): before 2.0

SCALANCE WAM766-1 (US): before 2.0

SCALANCE WAM766-1 (EU): before 2.0

SCALANCE WAM763-1: before 2.0

Fixed software versions

CPE2.3 External links

http://cert-portal.siemens.com/productcert/txt/ssa-565386.txt


Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?

17) Information Exposure Through an Error Message

EUVDB-ID: #VU73785

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2018-12886

CWE-ID:

Exploit availability:

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to excessive data output by the application in the stack_protect_prologue in cfgexpand.c and stack_protect_epilogue in function.c. A remote attacker can gain unauthorized access to sensitive information on the system.

Mitigation

Install update from vendor's website.

Vulnerable software versions

SCALANCE WUM766-1 (US): before 2.0

SCALANCE WUM766-1 (EU): before 2.0

SCALANCE WUM763-1: before 2.0

SCALANCE WAM766-1 EEC (US): before 2.0

SCALANCE WAM766-1 EEC (EU): before 2.0

SCALANCE WAM766-1 (US): before 2.0

SCALANCE WAM766-1 (EU): before 2.0

SCALANCE WAM763-1: before 2.0

Fixed software versions

CPE2.3 External links

http://cert-portal.siemens.com/productcert/txt/ssa-565386.txt


Q & A

Can this vulnerability be exploited remotely?

How the attacker can exploit this vulnerability?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###