Siemens SCALANCE W1750D Command Injection (CVE-2018-7084)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(500886);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/07/24");

  script_cve_id("CVE-2018-7084");

  script_name(english:"Siemens SCALANCE W1750D Command Injection (CVE-2018-7084)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"A command injection vulnerability is present that permits an unauthenticated user with access to the Aruba Instant web
interface to execute arbitrary system commands within the underlying operating system. An attacker could use this
ability to copy files, read configuration, write files, delete files, or reboot the device. Workaround: Block access to
the Aruba Instant web interface from all untrusted users. Resolution: Fixed in Aruba Instant 4.2.4.12, 6.5.4.11,
8.3.0.6, and 8.4.0.1

  - A command injection vulnerability is present that permits an unauthenticated user with access to the Aruba
    Instant web interface to execute arbitrary system commands within the underlying operating system. An
    attacker could use this ability to copy files, read configuration, write files, delete files, or reboot
    the device. Workaround: Block access to the Aruba Instant web interface from all untrusted users.
    Resolution: Fixed in Aruba Instant 4.2.4.12, 6.5.4.11, 8.3.0.6, and 8.4.0.1 (CVE-2018-7084)

This plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2019-001.txt");
  script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-19-134-07");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/pdf/ssa-549547.pdf");
  script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/bid/108374");
  script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.

Siemens recommends users upgrade to Version 8.4.0.1 or later, which can be downloaded from the following link:

https://support.industry.siemens.com/cs/us/en/view/109766816/

Siemens has identified the following specific workarounds and mitigations that users can apply to reduce the risk:

- Restrict access to the web-based management interface to the internal or VPN network.
- Do not browse other websites and do not click on external links while being authenticated to the administrative web
interface.
- Apply appropriate strategies for mitigation.

As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate
mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the
environment according to Siemens’ operational guidelines for industrial security, and following the recommendations in
the product manuals.

Additional information on Industrial Security by Siemens can be found at:

https://www.siemens.com/industrialsecurity

For more information on these vulnerabilities and associated software updates, please see Siemens security advisory
SSA-549547 on their website:

https://www.siemens.com/cert/advisories");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2018-7084");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_cwe_id(78);

  script_set_attribute(attribute:"vuln_publication_date", value:"2019/05/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/05/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/03/20");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_w1750d_firmware");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Siemens");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Siemens');

var asset = tenable_ot::assets::get(vendor:'Siemens');

var vuln_cpes = {
    "cpe:/o:siemens:scalance_w1750d_firmware" :
        {"versionEndExcluding" : "8.4.0.1", "family" : "SCALANCEW"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_HOLE);