An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used.
This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(500985);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/19");
script_cve_id("CVE-2020-26147");
script_name(english:"Siemens SCALANCE FragAttacks (CVE-2020-26147)");
script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
script_set_attribute(attribute:"description", value:
"An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2,
and WPA3 implementations reassemble fragments even though some of them
were sent in plaintext. This vulnerability can be abused to inject
packets and/or exfiltrate selected fragments when another device sends
fragmented frames and the WEP, CCMP, or GCMP data-confidentiality
protocol is used.
This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
script_set_attribute(attribute:"see_also", value:"https://www.fragattacks.com");
script_set_attribute(attribute:"see_also", value:"https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md");
script_set_attribute(attribute:"see_also", value:"http://www.openwall.com/lists/oss-security/2021/05/11/12");
script_set_attribute(attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2021/06/msg00019.html");
script_set_attribute(attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2021/06/msg00020.html");
script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/pdf/ssa-913875.pdf");
# https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-wifi-faf-22epcEWu
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?1eb2468b");
# https://www.arista.com/en/support/advisories-notices/security-advisories/12602-security-advisory-63
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?839210e5");
script_set_attribute(attribute:"solution", value:
"Refer to the vendor advisory.");
script_set_cvss_base_vector("CVSS2#AV:A/AC:H/Au:N/C:P/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-26147");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"vuln_publication_date", value:"2021/05/11");
script_set_attribute(attribute:"patch_publication_date", value:"2021/05/11");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/04/11");
script_set_attribute(attribute:"plugin_type", value:"remote");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_w1748-1_firmware:-::~~~~m12~");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_w1750d_firmware:-");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_w1788-1_firmware:-::~~~~m12~");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_w1788-2_firmware:-::~~~~eec_m12~");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_w1788-2_firmware:-::~~~~m12~");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_w1788-2ia_firmware:-::~~~~m12~");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_w721-1_firmware:-::~~~~rj45~");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_w722-1_firmware:-::~~~~rj45~");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_w734-1_firmware:-::~~~~rj45~");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_w738-1_firmware:-::~~~~m12~");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_w748-1_firmware:-::~~~~m12~");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_w748-1_firmware:-::~~~~rj45~");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_w761-1_firmware:-::~~~~rj45~");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_w774-1_firmware:-::~~~~m12_eec~");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_w774-1_firmware:-::~~~~rj45~");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_w778-1_firmware:-::~~~~m12_eec~");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_w778-1_firmware:-::~~~~m12~");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_w786-1_firmware:-::~~~~rj45~");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_w786-2_firmware:-::~~~~rj45~");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_w786-2_firmware:-::~~~~sfp~");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_w786-2ia_firmware:-::~~~~rj45~");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_w788-1_firmware:-::~~~~m12~");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_w788-1_firmware:-::~~~~rj45~");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_w788-2_firmware:-::~~~~m12_eec~");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_w788-2_firmware:-::~~~~m12~");
script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_w788-2_firmware:-::~~~~rj45~");
script_set_attribute(attribute:"generated_plugin", value:"former");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Tenable.ot");
script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("tenable_ot_api_integration.nasl");
script_require_keys("Tenable.ot/Siemens");
exit(0);
}
include('tenable_ot_cve_funcs.inc');
get_kb_item_or_exit('Tenable.ot/Siemens');
var asset = tenable_ot::assets::get(vendor:'Siemens');
var vuln_models = {
"SCALANCE W1748-1 M12" :
{"versionEndExcluding" : "3.0.0", "family" : "SCALANCEW"},
"SCALANCE W1750D" :
{"versionEndExcluding" : "8.7.1.3", "family" : "SCALANCEW"},
"SCALANCE W1788-1 M12" :
{"versionEndExcluding" : "3.0.0", "family" : "SCALANCEW"},
"SCALANCE W1788-2 EEC M12" :
{"versionEndExcluding" : "3.0.0", "family" : "SCALANCEW"},
"SCALANCE W1788-2 M12" :
{"versionEndExcluding" : "3.0.0", "family" : "SCALANCEW"},
"SCALANCE W1788-2IA M12" :
{"versionEndExcluding" : "3.0.0", "family" : "SCALANCEW"},
"SCALANCE W721-1 RJ45" :
{"family" : "SCALANCEW"},
"SCALANCE W722-1 RJ45" :
{"family" : "SCALANCEW"},
"SCALANCE W734-1 RJ45" :
{"family" : "SCALANCEW"},
"SCALANCE W738-1 M12" :
{"family" : "SCALANCEW"},
"SCALANCE W748-1 M12" :
{"family" : "SCALANCEW"},
"SCALANCE W761-1 RJ45" :
{"family" : "SCALANCEW"},
"SCALANCE W774-1 M12 EEC" :
{"family" : "SCALANCEW"},
"SCALANCE W774-1 RJ45" :
{"family" : "SCALANCEW"},
"SCALANCE W778-1 M12" :
{"family" : "SCALANCEW"},
"SCALANCE W778-1 M12 EEC" :
{"family" : "SCALANCEW"},
"SCALANCE W786-1 RJ45" :
{"family" : "SCALANCEW"},
"SCALANCE W786-2 RJ45" :
{"family" : "SCALANCEW"},
"SCALANCE W786-2 SFP" :
{"family" : "SCALANCEW"},
"SCALANCE W786-2IA RJ45" :
{"family" : "SCALANCEW"},
"SCALANCE W788-1 M12" :
{"family" : "SCALANCEW"},
"SCALANCE W788-1 RJ45" :
{"family" : "SCALANCEW"},
"SCALANCE W788-2 M12" :
{"family" : "SCALANCEW"},
"SCALANCE W788-2 M12 EEC" :
{"family" : "SCALANCEW"},
"SCALANCE W788-2 RJ45" :
{"family" : "SCALANCEW"}
};
tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_models, severity:SECURITY_NOTE);
Vendor | Product | Version | CPE |
---|---|---|---|
siemens | scalance_w1748-1_firmware | - | cpe:/o:siemens:scalance_w1748-1_firmware:-::~~~~m12~ |
siemens | scalance_w1750d_firmware | - | cpe:/o:siemens:scalance_w1750d_firmware:- |
siemens | scalance_w1788-1_firmware | - | cpe:/o:siemens:scalance_w1788-1_firmware:-::~~~~m12~ |
siemens | scalance_w1788-2_firmware | - | cpe:/o:siemens:scalance_w1788-2_firmware:-::~~~~eec_m12~ |
siemens | scalance_w1788-2_firmware | - | cpe:/o:siemens:scalance_w1788-2_firmware:-::~~~~m12~ |
siemens | scalance_w1788-2ia_firmware | - | cpe:/o:siemens:scalance_w1788-2ia_firmware:-::~~~~m12~ |
siemens | scalance_w721-1_firmware | - | cpe:/o:siemens:scalance_w721-1_firmware:-::~~~~rj45~ |
siemens | scalance_w722-1_firmware | - | cpe:/o:siemens:scalance_w722-1_firmware:-::~~~~rj45~ |
siemens | scalance_w734-1_firmware | - | cpe:/o:siemens:scalance_w734-1_firmware:-::~~~~rj45~ |
siemens | scalance_w738-1_firmware | - | cpe:/o:siemens:scalance_w738-1_firmware:-::~~~~m12~ |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26147
www.nessus.org/u?1eb2468b
www.nessus.org/u?839210e5
www.openwall.com/lists/oss-security/2021/05/11/12
cert-portal.siemens.com/productcert/pdf/ssa-913875.pdf
github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md
lists.debian.org/debian-lts-announce/2021/06/msg00019.html
lists.debian.org/debian-lts-announce/2021/06/msg00020.html
www.fragattacks.com