Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.TENABLE_OT_SIEMENS_CVE-2022-47522.NASL
HistoryMay 15, 2023 - 12:00 a.m.

Siemens SCALANCE W1750D Improper Input Validation (CVE-2022-47522)

2023-05-1500:00:00
This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
7
siemens scalance w1750d
cve-2022-47522
ieee 802.11
wi-fi encryption bypass
access point
mac address spoofing
tenable.ot scanner

7.7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

29.5%

JSON

The IEEE 802.11 specifications through 802.11ax allow physically proximate attackers to intercept (possibly cleartext) target-destined frames by spoofing a target’s MAC address, sending Power Save frames to the access point, and then sending other frames to the access point (such as authentication frames or re-association frames) to remove the target’s original security context. This behavior occurs because the specifications do not require an access point to purge its transmit queue before removing a client’s pairwise encryption key.

The SCALANCE W1750D device is affected by Wi-Fi encryption bypass vulnerabilities (‘Framing Frames’) that could allow an attacker to disclose sensitive information or to steal the victims session.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(501135);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/02/21");

  script_cve_id("CVE-2022-47522");

  script_name(english:"Siemens SCALANCE W1750D Improper Input Validation (CVE-2022-47522)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"The IEEE 802.11 specifications through 802.11ax allow physically
proximate attackers to intercept (possibly cleartext) target-destined
frames by spoofing a target's MAC address, sending Power Save frames
to the access point, and then sending other frames to the access point
(such as authentication frames or re-association frames) to remove the
target's original security context. This behavior occurs because the
specifications do not require an access point to purge its transmit
queue before removing a client's pairwise encryption key.

The SCALANCE W1750D device is affected by Wi-Fi encryption bypass
vulnerabilities ('Framing Frames') that could allow an attacker to
disclose sensitive information or to steal the victims session.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/html/ssa-516174.html");
  script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-23-131-02");
  script_set_attribute(attribute:"see_also", value:"https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2023-0006");
  script_set_attribute(attribute:"see_also", value:"https://papers.mathyvanhoef.com/usenix2023-wifi.pdf");
  script_set_attribute(attribute:"see_also", value:"https://www.wi-fi.org/discover-wi-fi/passpoint");
  script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.

Siemens has identified the following specific workarounds and mitigations users can apply to reduce risk: 

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. To
operate the devices in a protected IT environment, Siemens recommends configuring the environment according to their
Operational Guidelines for Industrial Security and following recommendations in the product manuals.

Additional information on industrial security by Siemens can be found on the Siemens Industrial Security website. 

For further inquiries on security vulnerabilities in Siemens products, visit Siemens ProductCERT. 

For more information, see the associated Siemens security advisory SSA-516174 in HTML and CSAF.");
  script_set_cvss_base_vector("CVSS2#AV:A/AC:H/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-47522");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_cwe_id(290);

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/04/15");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/04/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/05/15");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_w1750d_firmware");
  script_set_attribute(attribute:"generated_plugin", value:"former");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Siemens");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Siemens');

var asset = tenable_ot::assets::get(vendor:'Siemens');

var vuln_cpes = {
    "cpe:/o:siemens:scalance_w1750d_firmware" :
        {"family" : "SCALANCEW", "orderNumbers" : [ "6GK5750-2HX01-1AD0", "6GK5750-2HX01-1AA0", "6GK5750-2HX01-1AB0"]}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);
VendorProductVersionCPE
siemensscalance_w1750d_firmwarecpe:/o:siemens:scalance_w1750d_firmware

Related

freebsd_advisory 1
ics 2
prion 1
cvelist 4
nessus 1
cve 4
nvd 4
freebsd 1
freebsd_advisory
freebsd_advisory
FreeBSD-SA-23:11.wifi
2023-09-06 00:00:00
ics
ics
Siemens SCALANCE W1750D
2023-05-11 12:00:00
Siemens SCALANCE W700
2023-11-16 12:00:00
prion
prion
Authentication flaw
2023-04-15 02:15:00
cvelist
cvelist
CVE-2022-47522
2023-04-15 00:00:00
CVE-2024-30189
2024-04-09 08:34:40
CVE-2024-30190
2024-04-09 08:34:41
nessus
nessus
FreeBSD : FreeBSD -- Wi-Fi encryption bypass (924cb116-4d35-11ee-8e38-002590c1f29c)
2023-09-07 00:00:00
cve
cve
CVE-2022-47522
2023-04-15 02:15:07
CVE-2024-30190
2024-04-09 09:15:25
CVE-2024-30189
2024-04-09 09:15:24
nvd
nvd
CVE-2022-47522
2023-04-15 02:15:07
CVE-2024-30191
2024-04-09 09:15:25
CVE-2024-30189
2024-04-09 09:15:24
freebsd
freebsd
FreeBSD -- Wi-Fi encryption bypass
2023-09-06 00:00:00

7.7 High

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

29.5%

JSON
Related for TENABLE_OT_SIEMENS_CVE-2022-47522.NASL
freebsd_advisory1ics2prion1cvelist4nessus1cve4nvd4freebsd1