Siemens SCALANCE X Switches (CVE-2018-13807)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(500756);
  script_version("1.4");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/12/12");

  script_cve_id("CVE-2018-13807");

  script_name(english:"Siemens SCALANCE X Switches (CVE-2018-13807)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"A vulnerability has been identified in SCALANCE X300 (All versions <
V4.0.0), SCALANCE X408 (All versions < V4.0.0), SCALANCE X414 (All
versions). The web interface on port 443/tcp could allow an attacker
to cause a Denial-of-Service condition by sending specially crafted
packets to the web server. The device will automatically reboot,
impacting network availability for other devices. An attacker must
have network access to port 443/tcp to exploit the vulnerability.
Neither valid credentials nor interaction by a legitimate user is
required to exploit the vulnerability. There is no confidentiality or
integrity impact, only availability is temporarily impacted. This
vulnerability could be triggered by publicly available tools.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/pdf/ssa-447396.pdf");
  script_set_attribute(attribute:"see_also", value:"https://ics-cert.us-cert.gov/advisories/ICSA-18-254-05");
  script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/bid/105331");
  script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.

Siemens provides updates for SCALANCE X300, and SCALANCE X408, and provides mitigations for the SCALANCE X414.

- SCALANCE X300: Update to Version 4.1.2

https://support.industry.siemens.com/cs/us/en/view/109753720

- SCALANCE X408: Update to Version 4.1.2

https://support.industry.siemens.com/cs/us/en/view/109753720

- SCALANCE X424: Siemens has identified the following specific workarounds and mitigations that users can apply to
reduce the risk:
    - Protect network access to the integrated web server on Port 443/TCP with appropriate mechanisms.
    - Restrict network access to Port 443/TCP to trusted IP addresses, and avoid running vulnerability scanning tools
from trusted IP addresses on affected devices.

As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate
mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the
environment according to Siemens’ operational guidelines for Industrial Security (download:
https://www.siemens.com/cert/operational-guidelines-industrial-security), and to follow the recommendations in the
product manuals.

Additional information on Industrial Security by Siemens can be found at:

https://www.siemens.com/industrialsecurity.

For more information on this vulnerability and associated software updates, please see Siemens security advisory
SSA-447396 on their web site:

https://www.siemens.com/cert/advisories.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-13807");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(20);

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/09/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2018/09/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/01/25");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_x300_series_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_x408_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_x414_firmware:-");
  script_set_attribute(attribute:"generated_plugin", value:"former");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Siemens");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Siemens');

var asset = tenable_ot::assets::get(vendor:'Siemens');

var vuln_cpes = {
    "cpe:/o:siemens:scalance_x408_firmware" :
        {"versionEndExcluding" : "4.0.0", "family" : "SCALANCEX400"},
    "cpe:/o:siemens:scalance_x300_series_firmware" :
        {"versionEndExcluding" : "4.0.0", "family" : "SCALANCEX300"},
    "cpe:/o:siemens:scalance_x414_firmware:-" :
        {"family" : "SCALANCEX400"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_HOLE);