Scalance X300, Scalance X408, Scalance X414 Security Vulnerabilities

Siemens SCALANCE LPE9403 Race Condition (CVE-2021-36221)

Go before 1.15.15 and 1.16.x before 1.16.7 has a race condition that can lead to a net/http/httputil ReverseProxy panic upon an ErrAbortHandler abort. This plugin only works with Tenable.ot. Please visit https://www.tenable.com/products/tenable-ot for more...

Siemens SCALANCE S Improper Neutralization of Input During Web Page Generation (CVE-2018-16555)

A vulnerability has been identified in SCALANCE S602 (All versions < V4.0.1.1), SCALANCE S612 (All versions < V4.0.1.1), SCALANCE S623 (All versions < V4.0.1.1), SCALANCE S627-2M (All versions < V4.0.1.1). The integrated web server could allow Cross-Site Scripting (XSS) attacks if unsus...

Siemens SCALANCE FragAttacks (CVE-2020-26147)

An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames.....

Siemens SCALANCE X-200IRT User Impersonation (CVE-2015-1049)

The web server on Siemens SCALANCE X-200IRT switches with firmware before 5.2.0 allows remote attackers to hijack sessions via unspecified vectors. Products with the following MLFBs are affected: 6GK5201-3BH00-2BA3 6GK5200-4AH00-2BA3 6GK5202-2BB00-2BA3 6GK5204-0BA00-2BA3 6GK5201-3JR00-2BA6...

Siemens SCALANCE W1750D Improper Neutralization of Input During Web Page Generation (CVE-2022-37892)

A vulnerability in the Aruba InstantOS and ArubaOS 10 web management interface could allow an unauthenticated remote attacker to conduct a stored cross-site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a...

Siemens SCALANCE W1750D Improper Neutralization of Input During Web Page Generation (CVE-2022-37896)

A vulnerability in the Aruba InstantOS and ArubaOS 10 web management interface could allow a remote attacker to conduct a reflected cross- site scripting (XSS) attack against a user of the interface. A successful exploit could allow an attacker to execute arbitrary script code in a victim's...

Siemens SCALANCE Cross-Site Request Forgery (CVE-2019-5318)

A remote cross-site request forgery (csrf) vulnerability was discovered in Aruba Operating System Software version(s): 6.x.x.x: all versions, 8.x.x.x: all versions prior to 8.8.0.0. Aruba has released patches for ArubaOS that address this security vulnerability. This plugin only works with...

Siemens SCALANCE Command Injection (CVE-2021-37723)

A remote arbitrary command execution vulnerability was discovered in Aruba Operating System Software version(s): Prior to 8.7.1.2, 8.6.0.8, 8.5.0.12, 8.3.0.16. Aruba has released patches for ArubaOS that address this security vulnerability. This plugin only works with Tenable.ot. Please visit...

Siemens RUGGEDCOM, SCALANCE, SIMATIC, SINEMA Improper Input Validation (CVE-2018-5391)

The Linux kernel, versions 3.9+, is vulnerable to a denial of service attack with low rates of specially modified packets targeting IP fragment re-assembly. An attacker may cause a denial of service condition by sending specially crafted IP fragments. Various vulnerabilities in IP fragmentation...

Siemens SCALANCE W1750D Classic Buffer Overflow (CVE-2022-37891)

Unauthenticated buffer overflow vulnerabilities exist within the Aruba InstantOS and ArubaOS 10 web management interface. Successful exploitation results in the execution of arbitrary commands on the underlying operating system of Aruba InstantOS 6.4.x: 6.4.4.8-4.2.4.20 and below; Aruba InstantOS.....

Siemens SCALANCE W1750D Improper Input Validation (CVE-2021-25155)

A remote arbitrary file modification vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below; Aruba Instant 6.5.x: 6.5.4.18 and below; Aruba Instant 8.3.x: 8.3.0.14 and below; Aruba Instant 8.5.x: 8.5.0.11 and...

Siemens SCALANCE W1750D Command Injection (CVE-2021-25146)

A remote execution of arbitrary commands vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.5.x: 6.5.4.17 and below; Aruba Instant 8.3.x: 8.3.0.13 and below; Aruba Instant 8.5.x: 8.5.0.10 and below; Aruba Instant 8.6.x: 8.6.0.5 and below;.....

Siemens SCALANCE Command Injection (CVE-2021-37720)

A remote arbitrary command execution vulnerability was discovered in Aruba SD-WAN Software and Gateways; Aruba Operating System Software version(s): Prior to 8.6.0.4-2.2.0.4; Prior to 8.7.1.4, 8.6.0.9, 8.5.0.13, 8.3.0.16, 6.5.4.20, 6.4.4.25. Aruba has released patches for Aruba SD-WAN Software and....

Siemens SCALANCE W1750D Classic Buffer Overflow (CVE-2019-5319)

A remote buffer overflow vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below; Aruba Instant 6.5.x: 6.5.4.16 and below; Aruba Instant 8.3.x: 8.3.0.12 and below; Aruba Instant 8.5.x: 8.5.0.6 and below; Aruba...

Siemens SCALANCE Products Improper Adherence to Coding Standards (CVE-2019-10928)

A vulnerability has been identified in SCALANCE SC-600 (V2.0). An authenticated attacker with access to port 22/tcp as well as physical access to an affected device may trigger the device to allow execution of arbitrary commands. The security vulnerability could be exploited by an authenticated...

Siemens SCALANCE W780 and W740 Allocation of Resources Without Limits or Throttling (CVE-2021-25666)

A vulnerability has been identified in SCALANCE W780 and W740 (IEEE 802.11n) family (All versions < V6.3). Sending specially crafted packets through the ARP protocol to an affected device could cause a partial denial-of-service, preventing the device to operate normally for a short period of tim...

Siemens SCALANCE W1750D Improper Limitation of a Pathname to a Restricted Directory (CVE-2021-37734)

A remote unauthorized read access to files vulnerability was discovered in Aruba Instant version(s): 6.4.x.x: 6.4.4.8-4.2.4.18 and below; Aruba Instant 6.5.x.x: 6.5.4.19 and below; Aruba Instant 8.5.x.x: 8.5.0.12 and below; Aruba Instant 8.6.x.x: 8.6.0.11 and below; Aruba Instant 8.7.x.x: 8.7.1.3.....

Siemens SCALANCE W1750D Improper Input Validation (CVE-2021-25156)

A remote arbitrary directory create vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below; Aruba Instant 6.5.x: 6.5.4.18 and below; Aruba Instant 8.3.x: 8.3.0.14 and below; Aruba Instant 8.5.x: 8.5.0.11 and...

Siemens SCALANCE W1750D Improper Input Validation (CVE-2021-25157)

A remote arbitrary file read vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below; Aruba Instant 6.5.x: 6.5.4.18 and below; Aruba Instant 8.3.x: 8.3.0.14 and below; Aruba Instant 8.5.x: 8.5.0.11 and below;...

Siemens Ruggedcom ROS, SCALANCE Improper Access Control (CVE-2017-12736)

A vulnerability has been identified in RUGGEDCOM ROS for RSL910 devices (All versions < ROS V5.0.1), RUGGEDCOM ROS for all other devices (All versions < ROS V4.3.4), SCALANCE XB-200/XC-200/XP-200/XR300-WG (All versions between V3.0 (including) and V3.0.2 (excluding)), SCALANCE XR-500/XM-400 (...

Siemens SCALANCE X Switches Use of Hard-Coded Cryptographic Key (CVE-2020-28395)

A vulnerability has been identified in SCALANCE X-200RNA switch family (All versions < V3.2.7), SCALANCE X-300 switch family (incl. X408 and SIPLUS NET variants) (All versions < V4.1.0). Devices do not create a new unique private key after factory reset. An attacker could leverage this situat...

Siemens SCALANCE W1750D Improper Input Validation (CVE-2022-37894)

An unauthenticated Denial of Service (DoS) vulnerability exists in the handling of certain SSID strings by Aruba InstantOS and ArubaOS 10. Successful exploitation of this vulnerability results in the ability to interrupt the normal operation of the affected AP of Aruba InstantOS 6.4.x:...

Siemens SCALANCE W1700 Improper Input Validation (CVE-2022-28328)

A vulnerability has been identified in SCALANCE W1788-1 M12 (All versions < V3.0.0), SCALANCE W1788-2 EEC M12 (All versions < V3.0.0), SCALANCE W1788-2 M12 (All versions < V3.0.0), SCALANCE W1788-2IA M12 (All versions < V3.0.0). Affected devices do not properly handle malformed Multicas...

Siemens SCALANCE W1700 Improper Input Validation (CVE-2022-28329)

A vulnerability has been identified in SCALANCE W1788-1 M12 (All versions < V3.0.0), SCALANCE W1788-2 EEC M12 (All versions < V3.0.0), SCALANCE W1788-2 M12 (All versions < V3.0.0), SCALANCE W1788-2IA M12 (All versions < V3.0.0). Affected devices do not properly handle malformed TCP pack...

Siemens SCALANCE FragAttacks (CVE-2020-26140)

An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration. This plugin only.....

Siemens SCALANCE W1750D Improper Neutralization of Input During Web Page Generation (CVE-2018-7064)

A reflected cross-site scripting (XSS) vulnerability is present in an unauthenticated Aruba Instant web interface. An attacker could use this vulnerability to trick an IAP administrator into clicking a link which could then take administrative actions on the Instant cluster, or expose the session.....

Siemens SCALANCE XCM332 Allocation of Resources Without Limits or Throttling (CVE-2022-32205)

A malicious server can serve excessive amounts of Set-Cookie: headers in a HTTP response to curl and curl < 7.84.0 stores all of them. A sufficiently large amount of (big) cookies make subsequent HTTP requests to this, or other servers to which the cookies match, create requests that become larg...

Siemens SCALANCE W1750D Concurrent Execution Using Shared Resource with Improper Synchronization (CVE-2021-25158)

A remote arbitrary file read vulnerability was discovered in some Aruba Instant Access Point (IAP) products in version(s): Aruba Instant 6.5.x: 6.5.4.18 and below; Aruba Instant 8.3.x: 8.3.0.14 and below; Aruba Instant 8.5.x: 8.5.0.11 and below; Aruba Instant 8.6.x: 8.6.0.7 and below; Aruba...

Siemens SCALANCE W1750D Command Injection (CVE-2021-37727)

A remote arbitrary command execution vulnerability was discovered in HPE Aruba Instant (IAP) version(s): 6.4.x.x: 6.4.4.8-4.2.4.18 and below; Aruba Instant 6.5.x.x: 6.5.4.20 and below; Aruba Instant 8.5.x.x: 8.5.0.12 and below; Aruba Instant 8.6.x.x: 8.6.0.11 and below; Aruba Instant 8.7.x.x:...

Siemens SCALANCE XCM332 Allocation of Resources Without Limits or Throttling (CVE-2022-32206)

curl < 7.84.0 supports chained HTTP compression algorithms, meaning that a serverresponse can be compressed multiple times and potentially with different algorithms. The number of acceptable links in this decompression chain was unbounded, allowing a malicious server to insert a virtually...

Siemens SCALANCE M875 Arbitrary OS Command Execution (CVE-2018-4860)

A vulnerability has been identified in SCALANCE M875 (All versions). An authenticated remote attacker with access to the web interface (443/tcp), could execute arbitrary operating system commands. Successful exploitation requires that the attacker has network access to the web interface. The...

Siemens SCALANCE and RUGGEDCOM Devices Stack-Based Buffer Overflow (CVE-2021-25667)

A vulnerability has been identified in RUGGEDCOM RM1224 (All versions >= V4.3 and < V6.4), SCALANCE M-800 (All versions >= V4.3 and < V6.4), SCALANCE S615 (All versions >= V4.3 and < V6.4), SCALANCE SC-600 Family (All versions >= V2.0 and < V2.1.3), SCALANCE XB-200 (All vers...

Siemens SCALANCE XM-400 and XR-500 Devices Incorrect Calculation (CVE-2020-28393)

An unauthenticated remote attacker could create a permanent denial-of- service condition by sending specially crafted OSPF packets. Successful exploitation requires OSPF to be enabled on an affected device on the SCALANCE XM-400, XR-500 (All versions prior to v6.4). This plugin only works with...

Siemens SCALANCE S-600 Improper Neutralization of Script-Related HTML Tags in a Web Page (CVE-2019-6585)

A vulnerability has been identified in SCALANCE S602 (All versions >= V3.0 and < V4.1), SCALANCE S612 (All versions >= V3.0 and < V4.1), SCALANCE S623 (All versions >= V3.0 and < V4.1), SCALANCE S627-2M (All versions >= V3.0 and < V4.1). The integrated configuration web serv...

Siemens SCALANCE and RUGGEDCOM Devices SSH Improper Restriction of Excessive Authentication Attempts (CVE-2021-25676)

A vulnerability has been identified in RUGGEDCOM RM1224 (V6.3), SCALANCE M-800 (V6.3), SCALANCE S615 (V6.3), SCALANCE SC-600 (All Versions >= V2.1 and < V2.1.3). Multiple failed SSH authentication attempts could trigger a temporary Denial-of-Service under certain conditions. When triggered, t...

Siemens SCALANCE S-600 Uncontrolled Resource Consumption (CVE-2019-13925)

A vulnerability has been identified in SCALANCE S602 (All versions >= V3.0 and < V4.1), SCALANCE S612 (All versions >= V3.0 and < V4.1), SCALANCE S623 (All versions >= V3.0 and < V4.1), SCALANCE S627-2M (All versions >= V3.0 and < V4.1). Specially crafted packets sent to por...

Siemens SCALANCE S-600 Uncontrolled Resource Consumption (CVE-2019-13926)

A vulnerability has been identified in SCALANCE S602 (All versions >= V3.0 and < V4.1), SCALANCE S612 (All versions >= V3.0 and < V4.1), SCALANCE S623 (All versions >= V3.0 and < V4.1), SCALANCE S627-2M (All versions >= V3.0 and < V4.1). Specially crafted packets sent to por...

Siemens SCALANCE X-200RNA Switch Devices Path Traversal (CVE-2019-6111)

An issue was discovered in OpenSSH 7.9. Due to the scp implementation being derived from 1983 rcp, the server chooses which files/directories are sent to the client. However, the scp client only performs cursory validation of the object name returned (only directory traversal attacks are...

Siemens SCALANCE Third-Party

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services |.....

Unbreakable Enterprise kernel security update

[5.4.17-2136.317.5.3] - udf: Fix file corruption when appending just after end of preallocated extent (Jan Kara) [Orabug: 35192150] - selftests/ftrace: Fix bash specific '==' operator (Masami Hiramatsu (Google)) [Orabug: 35192150] - net: Fix unwanted sign extension in netdev_stats_to_stats64()...

Unbreakable Enterprise kernel-container security update

[5.4.17-2136.317.5.3] - udf: Fix file corruption when appending just after end of preallocated extent (Jan Kara) [Orabug: 35192150] - selftests/ftrace: Fix bash specific '==' operator (Masami Hiramatsu (Google)) [Orabug: 35192150] - net: Fix unwanted sign extension in netdev_stats_to_stats64()...

Siemens TCP Event Service of SCALANCE And RUGGEDCOM Devices Improper Input Validation (CVE-2022-31766)

A vulnerability has been identified in RUGGEDCOM RM1224 LTE(4G) EU (All versions < V7.1.2), RUGGEDCOM RM1224 LTE(4G) NAM (All versions < V7.1.2), SCALANCE M804PB (All versions < V7.1.2), SCALANCE M812-1 ADSL-Router (Annex A) (All versions < V7.1.2), SCALANCE M812-1 ADSL- Router (Annex B...

Siemens SCALANCE W1750D Command Injection (CVE-2018-7084)

A command injection vulnerability is present that permits an unauthenticated user with access to the Aruba Instant web interface to execute arbitrary system commands within the underlying operating system. An attacker could use this ability to copy files, read configuration, write files, delete...

Unbreakable Enterprise kernel-container security update

[4.14.35-2047.523.4.1] - mm: kvmalloc does not fallback to vmalloc for incompatible gfp flags (Michal Hocko) [Orabug: 35164196] [4.14.35-2047.523.4] - rds: ib: Keep IB MRs on clean_list unless we are tearing down the pool (Hakon Bugge) [Orabug: 34987235] - rds: ib: Add FRWR related statistics...

Unbreakable Enterprise kernel security update

[4.14.35-2047.523.4.1] - mm: kvmalloc does not fallback to vmalloc for incompatible gfp flags (Michal Hocko) [Orabug: 35164196] [4.14.35-2047.523.4] - rds: ib: Keep IB MRs on clean_list unless we are tearing down the pool (Hakon Bugge) [Orabug: 34987235] - rds: ib: Add FRWR related statistics...

Siemens SCALANCE, RUGGEDCOM Third-Party

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services |.....

Siemens SCALANCE W1750D Devices

As of January 10, 2023, CISA will no longer be updating ICS security advisories for Siemens product vulnerabilities beyond the initial advisory. For the most up-to-date information on vulnerabilities in this advisory, please see Siemens' ProductCERT Security Advisories (CERT Services | Services |.....

Unbreakable Enterprise kernel security update

[5.15.0-8.91.4.1] - uek-rpm: Add opbmc to core rpm (Somasundaram Krishnasamy) [Orabug: 35157130] [5.15.0-8.91.4] - selftests/vm: remove ARRAY_SIZE define from individual tests (Shuah Khan) [Orabug: 35088471] - selftests: Provide local define of __cpuid_count() (Reinette Chatre) [Orabug:...

Siemens SCALANCE X-200RNA Switch Devices Integer Overflow or Wraparound (CVE-2019-16905)

OpenSSH 7.7 through 7.9 and 8.x before 8.1, when compiled with an experimental key type, has a pre-authentication integer overflow if a client or server is configured to use a crafted XMSS key. This leads to memory corruption and local code execution because of an error in the XMSS key parsing...

Siemens SCALANCE X-200RNA Switch Devices Concurrent Execution Using Shared Resource with Improper Synchronization (CVE-2018-15473)

OpenSSH through 7.7 is prone to a user enumeration vulnerability due to not delaying bailout for an invalid authenticating user until after the packet containing the request has been fully parsed, related to auth2-gss.c, auth2-hostbased.c, and auth2-pubkey.c. OpenSSH through 7.7 is prone to a...