Siemens SCALANCE W1750D Uncontrolled Resource Consumption (CVE-2002-20001)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(501154);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/07/24");

  script_cve_id("CVE-2002-20001");

  script_name(english:"Siemens SCALANCE W1750D Uncontrolled Resource Consumption (CVE-2002-20001)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"The Diffie-Hellman Key Agreement Protocol allows remote attackers
(from the client side) to send arbitrary numbers that are actually not
public keys, and trigger expensive server-side DHE modular-
exponentiation calculations, aka a D(HE)ater attack. The client needs
very little CPU resources and network bandwidth. The attack may be
more disruptive in cases where a client can require a server to select
its largest supported key size. The basic attack scenario is that the
client must claim that it can only communicate with DHE, and the
server must be configured to allow DHE.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://github.com/Balasys/dheater");
  # https://www.researchgate.net/profile/Anton-Stiglic-2/publication/2401745_Security_Issues_in_the_Diffie-Hellman_Key_Agreement_Protocol
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?500d1117");
  script_set_attribute(attribute:"see_also", value:"https://github.com/mozilla/ssl-config-generator/issues/162");
  # https://www.reddit.com/r/netsec/comments/qdoosy/server_overload_by_enforcing_dhe_key_exchange/
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?7a2a3191");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/pdf/ssa-506569.pdf");
  script_set_attribute(attribute:"see_also", value:"https://support.f5.com/csp/article/K83120834");
  script_set_attribute(attribute:"see_also", value:"https://www.openssl.org/blog/blog/2022/10/21/tls-groups-configuration/");
  script_set_attribute(attribute:"see_also", value:"https://www.suse.com/support/kb/doc/?id=000020510");
  script_set_attribute(attribute:"see_also", value:"https://dheatattack.com");
  script_set_attribute(attribute:"see_also", value:"https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-004.txt");
  script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-22-314-10");
  script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.

Siemens identified the following specific workarounds and mitigations to reduce risk: 

- CVE-2022-37885, CVE-2022-37886, CVE-2022-37887, CVE-2022-37888, and CVE-2022-37889: Enable CPSec via the cluster-
security command.
- CVE-2022-37890, CVE-2022-37891, CVE-2022-37892, CVE-2022-37895, and CVE-2022-37896: Restrict the web-based management
interface to a dedicated layer 2 segment/VLAN and/or control the interface by firewall policies at layer 3 and above.
- CVE-2022-37893: Restrict the command line interface to a dedicated layer 2 segment/VLAN and/or control the interface
by firewall policies at layer 3 and above.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. In
order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to
Siemens' operational guidelines for industrial security and following the recommendations in the product manuals.

Additional information on Industrial Security by Siemens can be found at the Siemens website.

For more information, see the associated Siemens security advisory SSA-506569 in HTML and CSAF. 

Siemens SCALANCE W1750D is a brand-labeled device from Aruba. For more information regarding these vulnerabilities, see
the Aruba security advisory ARUBA-PSA-2022-014.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2002-20001");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(400);

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/11/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2021/11/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/05/24");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_w1750d_firmware");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Siemens");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Siemens');

var asset = tenable_ot::assets::get(vendor:'Siemens');

var vuln_cpes = {
    "cpe:/o:siemens:scalance_w1750d_firmware" :
        {"versionEndExcluding" : "8.7.1.11", "family" : "SCALANCEW"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);