Lucene search

K
nessusThis script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.TENABLE_OT_SIEMENS_CVE-2021-37722.NASL
HistoryApr 11, 2023 - 12:00 a.m.

Siemens SCALANCE Command Injection (CVE-2021-37722)

2023-04-1100:00:00
This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
7
siemens scalance w1750
command injection
remote access
vulnerability
arubaos
security advisory

0.003 Low

EPSS

Percentile

68.7%

A remote arbitrary command execution vulnerability was discovered in Aruba SD-WAN Software and Gateways; Aruba Operating System Software version(s): Prior to 8.6.0.4-2.2.0.4; Prior to 8.7.1.4, 8.6.0.9, 8.5.0.13, 8.3.0.16, 6.5.4.20, 6.4.4.25. Aruba has released patches for Aruba SD-WAN Software and Gateways and ArubaOS that address this security vulnerability.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(501040);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/07/24");

  script_cve_id("CVE-2021-37722");

  script_name(english:"Siemens SCALANCE Command Injection (CVE-2021-37722)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"A remote arbitrary command execution vulnerability was discovered in
Aruba SD-WAN Software and Gateways; Aruba Operating System Software
version(s): Prior to 8.6.0.4-2.2.0.4; Prior to 8.7.1.4, 8.6.0.9,
8.5.0.13, 8.3.0.16, 6.5.4.20, 6.4.4.25. Aruba has released patches for
Aruba SD-WAN Software and Gateways and ArubaOS that address this
security vulnerability.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-016.txt");
  script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-21-287-07");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/pdf/ssa-280624.pdf");
  script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.

Siemens recommends upgrading SCALANCE W1750 to Versions 8.7.1.3 or later

SCALANCE W1750D: All version 8719 and prior (only affected by CVE-2019-5318, currently no fix is planned.

SCALANCE W1750 versions from 8.7.1.3 to 9.7.1.8 update to version 9.7.1.9 or later (only affected by CVE-2019-5318,
CVE-2020-37719, CVE-2021-37717, CVE-2021-37718, CVE-2021-37720, CVE-2021-37721, CVE-2021-37722, CVE-2021-37728).

Siemens has identified the following specific workarounds and mitigations users can apply to reduce the risk:

- Block access to the ArubaOS Command Line Interface from all untrusted users.
- Block access to the ArubaOS web-based management interface from all untrusted users.
- Block access to the Mobility Conductor Command Line Interface from all untrusted users.
- Enabling the Enhanced PAPI Security feature where available will prevent exploitation of these vulnerabilities. Please
contact TAC for assistance if needed.
- Exploitation requires physical access. Controllers in strictly controlled physical environments are at low risk.
- To minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba recommends the communication between
Controller/Gateways and Access-Points be restricted either by having a dedicated Layer 2 segment/VLAN or, if
Controller/Gateways and Access-Points cross Layer 3 boundaries, to have firewall policies restricting the communication
of these authorized devices. In addition, enabling the Enhanced PAPI Security feature will prevent the PAPI-specific
vulnerabilities above from being exploited. Contact Aruba Support for configuration assistance.
- The RAPConsole or Local Debug (LD) homepage can be reached by users in a split or bridge role. This can be prevented
by configuring an ACL to restrict access to the LD homepage, which effectively prevents this issue. Detailed
instructions for ACL implementation are available.

As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate
mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the
environment according to Siemensรขย€ย™ operational guidelines for industrial security, and to follow the recommendations in
the product manuals.

For additional information, please refer to Siemens Security Advisory SSA-280624 in HTML or CSAF.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-37722");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_cwe_id(77);

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/09/07");
  script_set_attribute(attribute:"patch_publication_date", value:"2021/09/07");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/04/11");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_w1750d_firmware:-");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Siemens");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Siemens');

var asset = tenable_ot::assets::get(vendor:'Siemens');

var vuln_cpes = {
    "cpe:/o:siemens:scalance_w1750d_firmware:-" :
        {"versionEndExcluding" : "8.7.1.9", "family" : "SCALANCEW"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_HOLE);
VendorProductVersionCPE
siemensscalance_w1750d_firmware-cpe:/o:siemens:scalance_w1750d_firmware:-

0.003 Low

EPSS

Percentile

68.7%

Related for TENABLE_OT_SIEMENS_CVE-2021-37722.NASL