Siemens SCALANCE OS Command Injection (CVE-2023-49691)

2024-04-1500:00:00

www.tenable.com

siemens scalance

command injection

vulnerability

tenable.ot

os command

ddns

privileges

system level

security advisory

8 High

AI Score

Confidence

High

JSON

An Improper Neutralization of Special Elements used in an OS Command with root privileges vulnerability exists in the handling of the DDNS configuration. This could allow malicious local administrators to issue commands on system level after a successful IP address update.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(502208);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/04/18");

  script_cve_id("CVE-2023-49691");

  script_name(english:"Siemens SCALANCE OS Command Injection (CVE-2023-49691)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"An Improper Neutralization of Special Elements used in an OS Command 
with root privileges vulnerability exists in the handling of the 
DDNS configuration. This could allow malicious local administrators to 
issue commands on system level after a successful IP address update. 

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/pdf/ssa-602936.pdf");
  script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-24-046-09");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/html/ssa-180704.html");
  script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-23-348-14");
  script_set_attribute(attribute:"solution", value:
"Siemens has released new versions for several affected products and recommends users update to the latest versions.

For more information, see the associated Siemens security advisory in HTML and CSAF.");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:M/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-49691");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2024/02/13");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/02/13");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/04/15");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_sc622-2c_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_sc626-2c_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_sc632-2c_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_sc636-2c_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_sc642-2c_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_sc646-2c_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_s615_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_s615_eec_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:ruggedcom_rm1224_lte_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_m804pb_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_m812-1_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_m816-1_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_m826-2_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_m874-2_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_m874-3_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_m876-3_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_m876-4_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_mum853-1_firmware");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_mum856-1_firmware");
  script_set_attribute(attribute:"generated_plugin", value:"former");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Siemens");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Siemens');

var asset = tenable_ot::assets::get(vendor:'Siemens');

var vuln_cpes = {
    "cpe:/o:siemens:scalance_sc622-2c_firmware" :
        {"versionEndExcluding" : "3.0.2", "family" : "SCALANCES", "orderNumbers": ["6GK5622-2GS00-2AC2"]},
    "cpe:/o:siemens:scalance_sc626-2c_firmware" :
        {"versionEndExcluding" : "3.0.2", "family" : "SCALANCES", "orderNumbers": ["6GK5626-2GS00-2AC2"]},
    "cpe:/o:siemens:scalance_sc632-2c_firmware" :
        {"versionEndExcluding" : "3.0.2", "family" : "SCALANCES", "orderNumbers": ["6GK5632-2GS00-2AC2"]},
    "cpe:/o:siemens:scalance_sc636-2c_firmware" :
        {"versionEndExcluding" : "3.0.2", "family" : "SCALANCES", "orderNumbers": ["6GK5636-2GS00-2AC2"]},
    "cpe:/o:siemens:scalance_sc642-2c_firmware" :
        {"versionEndExcluding" : "3.0.2", "family" : "SCALANCES", "orderNumbers": ["6GK5642-2GS00-2AC2"]},
    "cpe:/o:siemens:scalance_sc646-2c_firmware" :
        {"versionEndExcluding" : "3.0.2", "family" : "SCALANCES", "orderNumbers": ["6GK5646-2GS00-2AC2"]},
    "cpe:/o:siemens:scalance_s615_firmware" :
        {"family" : "SCALANCES", "versionEndExcluding" : "8.0","orderNumbers": ["6GK5615-0AA00-2AA2"]},
    "cpe:/o:siemens:scalance_s615_eec_firmware" :
        {"family" : "SCALANCES", "versionEndExcluding" : "8.0","orderNumbers": ["6GK5615-0AA01-2AA2"]},
    "cpe:/o:siemens:ruggedcom_rm1224_lte_firmware" :
        {"family" : "RuggedCom", "versionEndExcluding" : "8.0","orderNumbers": ["6GK6108-4AM00-2BA2", "6GK6108-4AM00-2DA2"]},
    "cpe:/o:siemens:scalance_m804pb_firmware" :
        {"family" : "SCALANCEM", "versionEndExcluding" : "8.0","orderNumbers": ["6GK5804-0AP00-2AA2"]},
    "cpe:/o:siemens:scalance_m812-1_firmware" :
        {"family" : "SCALANCEM", "versionEndExcluding" : "8.0","orderNumbers": ["6GK5812-1AA00-2AA2","6GK5812-1BA00-2AA2"]},
    "cpe:/o:siemens:scalance_m816-1_firmware" :
        {"family" : "SCALANCEM", "versionEndExcluding" : "8.0","orderNumbers": ["6GK5816-1AA00-2AA2","6GK5816-1BA00-2AA2"]},
    "cpe:/o:siemens:scalance_m826-2_firmware" :
        {"family" : "SCALANCEM", "versionEndExcluding" : "8.0","orderNumbers": ["6GK5826-2AB00-2AB2"]},
    "cpe:/o:siemens:scalance_m874-2_firmware" :
        {"family" : "SCALANCEM", "versionEndExcluding" : "8.0","orderNumbers": ["6GK5874-2AA00-2AA2"]},
    "cpe:/o:siemens:scalance_m874-3_firmware" :
        {"family" : "SCALANCEM", "versionEndExcluding" : "8.0","orderNumbers": ["6GK5874-3AA00-2AA2"]},
    "cpe:/o:siemens:scalance_m876-3_firmware" :
        {"family" : "SCALANCEM", "versionEndExcluding" : "8.0","orderNumbers": ["6GK5876-3AA02-2BA2","6GK5876-3AA02-2EA2"]},
    "cpe:/o:siemens:scalance_m876-4_firmware" :
        {"family" : "SCALANCEM", "versionEndExcluding" : "8.0","orderNumbers": ["6GK5876-4AA10-2BA2","6GK5876-4AA00-2BA2","6GK5876-4AA00-2DA2"]},
    "cpe:/o:siemens:scalance_mum853-1_firmware" :
        {"family" : "SCALANCEM", "versionEndExcluding" : "8.0","orderNumbers": ["6GK5853-2EA00-2DA1"]},
    "cpe:/o:siemens:scalance_mum856-1_firmware" :
        {"family" : "SCALANCEM", "versionEndExcluding" : "8.0","orderNumbers": ["6GK5856-2EA00-3DA1","6GK5856-2EA00-3AA1"]}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_WARNING);

VendorProductVersionCPE
siemensscalance_sc622-2c_firmwarecpe:/o:siemens:scalance_sc622-2c_firmware
siemensscalance_sc626-2c_firmwarecpe:/o:siemens:scalance_sc626-2c_firmware
siemensscalance_sc632-2c_firmwarecpe:/o:siemens:scalance_sc632-2c_firmware
siemensscalance_sc636-2c_firmwarecpe:/o:siemens:scalance_sc636-2c_firmware
siemensscalance_sc642-2c_firmwarecpe:/o:siemens:scalance_sc642-2c_firmware
siemensscalance_sc646-2c_firmwarecpe:/o:siemens:scalance_sc646-2c_firmware
siemensscalance_s615_firmwarecpe:/o:siemens:scalance_s615_firmware
siemensscalance_s615_eec_firmwarecpe:/o:siemens:scalance_s615_eec_firmware
siemensruggedcom_rm1224_lte_firmwarecpe:/o:siemens:ruggedcom_rm1224_lte_firmware
siemensscalance_m804pb_firmwarecpe:/o:siemens:scalance_m804pb_firmware

Vendor	Product	CPE
siemens	scalance_sc622-2c_firmware	cpe:/o:siemens:scalance_sc622-2c_firmware
siemens	scalance_sc626-2c_firmware	cpe:/o:siemens:scalance_sc626-2c_firmware
siemens	scalance_sc632-2c_firmware	cpe:/o:siemens:scalance_sc632-2c_firmware
siemens	scalance_sc636-2c_firmware	cpe:/o:siemens:scalance_sc636-2c_firmware
siemens	scalance_sc642-2c_firmware	cpe:/o:siemens:scalance_sc642-2c_firmware
siemens	scalance_sc646-2c_firmware	cpe:/o:siemens:scalance_sc646-2c_firmware
siemens	scalance_s615_firmware	cpe:/o:siemens:scalance_s615_firmware
siemens	scalance_s615_eec_firmware	cpe:/o:siemens:scalance_s615_eec_firmware
siemens	ruggedcom_rm1224_lte_firmware	cpe:/o:siemens:ruggedcom_rm1224_lte_firmware
siemens	scalance_m804pb_firmware	cpe:/o:siemens:scalance_m804pb_firmware