Siemens SCALANCE W1750D Devices Inadequate Encryption Strength (CVE-2022-4304)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(501840);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/04/13");

  script_cve_id("CVE-2022-4304");

  script_name(english:"Siemens SCALANCE W1750D Devices Inadequate Encryption Strength (CVE-2022-4304)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"A vulnerability exists in the OpenSSL that affects SCALANCE W1750D device.

A timing based side channel exists in the OpenSSL RSA Decryption
implementation which could be sufficient to recover a plaintext across
a network in a Bleichenbacher style attack. To achieve a successful
decryption an attacker would have to be able to send a very large
number of trial messages for decryption. The vulnerability affects all
RSA padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. For example, in a
TLS connection, RSA is commonly used by a client to send an encrypted
pre-master secret to the server. An attacker that had observed a
genuine connection between a client and a server could use this flaw
to send trial messages to the server and record the time taken to
process them. After a sufficiently large number of messages the
attacker could recover the pre-master secret used for the original
connection and thus be able to decrypt the application data sent over
that connection.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://www.openssl.org/news/secadv/20230207.txt");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/html/ssa-203374.html");
  script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-23-075-04");
  script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk: 
- CVE-2022-4304: Disable the use of RSA ciphers in the web server configuration; note that RSA ciphers are disabled by
default.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To
operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens'
operational guidelines for Industrial Security. Additional information on Siemens Industrial Security can be found here.

For more information, see the associated Siemens security advisory SSA-203374 in HTML and CSAF.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-4304");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(203, 326);

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/03/14");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/12/19");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_w1750d_firmware");
  script_set_attribute(attribute:"generated_plugin", value:"former");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Siemens");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Siemens');

var asset = tenable_ot::assets::get(vendor:'Siemens');

var vuln_cpes = {
    "cpe:/o:siemens:scalance_w1750d_firmware" :
        {"versionEndExcluding": "8.10.0.9", "family" : "SCALANCEW", "orderNumbers" : ["6GK5750-2HX01-1AD0","6GK5750-2HX01-1AA0","6GK5750-2HX01-1AB0"]}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);