Multiple vulnerabilities in Siemens SCALANCE W1750D, M800 and S615
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 4 |
| CVE-ID | CVE-2017-13704 CVE-2017-14495 CVE-2017-14496 CVE-2017-14491 |
| CWE-ID | CWE-119 CWE-400 CWE-122 |
| Exploitation vector | Network |
| Public exploit |
Public exploit code for vulnerability #2 is available. Public exploit code for vulnerability #3 is available. Public exploit code for vulnerability #4 is available. |
| Vulnerable software |
SCALANCE S615 Hardware solutions / Firmware SCALANCE M800 Hardware solutions / Firmware SCALANCE W1750D Hardware solutions / Firmware |
| Vendor | Siemens |
Security Bulletin
This security bulletin contains information about 4 vulnerabilities.
1) Memory corruption
EUVDB-ID: #VU8666
Risk: Medium
CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]
CVE-ID: CVE-2017-13704
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to boundary error in when processing DNS queries longer than 512 bytes or EDNS0 packet size is different. A remote unauthenticated attacker can send a specially crafted DNS request to the affected service and trigger the application crash.
Successful exploitation of this vulnerability may allow an attacker to perform a denial of service (DoS) attack.
Siemens is preparing updates for the affected products and recommends the following mitigations until patches are available: • For SCALANCE W1750D: Customers who do not use the “OpenDNS”, “Captive Portal” or “URL redirection” functionality, can deploy firewall rules in the device configuration to block incoming access to port 53/UDP. • For SCALANCE M800/S615: Disable DNS proxy in the device configuration (System - DNS - DNS Proxy - Disable Checkbox „Enable DNS Proxy“), and configure the connected devices in the internal network to use a different DNS server. • Apply Defense-in-Depth [1]
Vulnerable software versionsSCALANCE S615: All versions
SCALANCE M800: All versions
SCALANCE W1750D: All versions
CPE2.3- cpe:2.3:h:siemens:scalance_s615:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:scalance_m800:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:scalance_w1750d:*:*:*:*:*:*:*:*
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-689071.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Memory exhaustion
EUVDB-ID: #VU8664
Risk: Medium
CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2017-14495
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to incorrect memory allocation (memory is never freed) in add_pseudoheader() function when processing DNS queries. A remote unauthenticated attacker can send a specially crafted DNS request to the affected service and cause dnsmasq to consume all available memory.
Successful exploitation of this vulnerability may allow an attacker to perform a denial of service (DoS) attack, but requires that dnsmasq is compiled with --add-mac, --add-cpe-id or --add-subnet option.
Siemens is preparing updates for the affected products and recommends the following mitigations until patches are available: • For SCALANCE W1750D: Customers who do not use the “OpenDNS”, “Captive Portal” or “URL redirection” functionality, can deploy firewall rules in the device configuration to block incoming access to port 53/UDP. • For SCALANCE M800/S615: Disable DNS proxy in the device configuration (System - DNS - DNS Proxy - Disable Checkbox „Enable DNS Proxy“), and configure the connected devices in the internal network to use a different DNS server. • Apply Defense-in-Depth [1]
Vulnerable software versionsSCALANCE S615: All versions
SCALANCE M800: All versions
SCALANCE W1750D: All versions
CPE2.3- cpe:2.3:h:siemens:scalance_s615:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:scalance_m800:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:scalance_w1750d:*:*:*:*:*:*:*:*
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-689071.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
3) Memory corruption
EUVDB-ID: #VU8665
Risk: Medium
CVSSv4.0: 7.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/U:Green]
CVE-ID: CVE-2017-14496
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to boundary error in add_pseudoheader() function when processing DNS queries. A remote unauthenticated attacker can send a specially crafted DNS request to the affected service, cause dnsmasq to call memcpy with negative size and crash.
Successful exploitation of this vulnerability may allow an attacker to perform a denial of service (DoS) attack, but requires that dnsmasq is compiled with --add-mac, --add-cpe-id or --add-subnet option.
Siemens is preparing updates for the affected products and recommends the following mitigations until patches are available: • For SCALANCE W1750D: Customers who do not use the “OpenDNS”, “Captive Portal” or “URL redirection” functionality, can deploy firewall rules in the device configuration to block incoming access to port 53/UDP. • For SCALANCE M800/S615: Disable DNS proxy in the device configuration (System - DNS - DNS Proxy - Disable Checkbox „Enable DNS Proxy“), and configure the connected devices in the internal network to use a different DNS server. • Apply Defense-in-Depth [1]
Vulnerable software versionsSCALANCE S615: All versions
SCALANCE M800: All versions
SCALANCE W1750D: All versions
CPE2.3- cpe:2.3:h:siemens:scalance_s615:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:scalance_m800:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:scalance_w1750d:*:*:*:*:*:*:*:*
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-689071.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
4) Heap-based buffer overflow
EUVDB-ID: #VU8660
Risk: High
CVSSv4.0: 8.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/U:Amber]
CVE-ID: CVE-2017-14491
CWE-ID:
CWE-122 - Heap-based Buffer Overflow
Exploit availability: Yes
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to boundary error in dnsmasq.c file when processing DNS replies. A remote unauthenticated attacker can send specially crafted DNS packets to the affected service, trigger heap-based buffer overflow by 2 bytes and crash the service or execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationSiemens is preparing updates for the affected products and recommends the following mitigations until patches are available: • For SCALANCE W1750D: Customers who do not use the “OpenDNS”, “Captive Portal” or “URL redirection” functionality, can deploy firewall rules in the device configuration to block incoming access to port 53/UDP. • For SCALANCE M800/S615: Disable DNS proxy in the device configuration (System - DNS - DNS Proxy - Disable Checkbox „Enable DNS Proxy“), and configure the connected devices in the internal network to use a different DNS server. • Apply Defense-in-Depth [1]
Vulnerable software versionsSCALANCE S615: All versions
SCALANCE M800: All versions
SCALANCE W1750D: All versions
CPE2.3- cpe:2.3:h:siemens:scalance_s615:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:scalance_m800:*:*:*:*:*:*:*:*
- cpe:2.3:h:siemens:scalance_w1750d:*:*:*:*:*:*:*:*
https://www.siemens.com/cert/pool/cert/siemens_security_advisory_ssa-689071.pdf
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability. However, proof of concept for this vulnerability is available.
