Search...

Siemens Scalance W-700 系列设备SSL证书欺骗漏洞

2015-10-10T00:00:00

ID SSV:89662
Type seebug
Reporter 尧之
Modified 2015-10-10T00:00:00

Description

Siemens Scalance W-700系列内置SSL证书欺骗漏洞

CNVD-ID CNVD-2013-11278 CVE-ID: CVE-2013-4651

在关于担保的管理 web 界面和命令行管理界面中的身份验证旁路硬编码的 SSL 证书的西门子 Scalance W7xx (IEEE 802.11a/b/g) 产品系列。Siemens Scalance W-700 Series是西门子开发的工业无线交换机设备。

Siemens Scalance W-700系列设备设备内置的SSL证书，不能通过管理接口来更换该证书，允许攻击者通过中间人攻击获取敏感信息。如下固件版本 < v4.5.4的支持IEEE 802.11a/b/g的设备受此漏洞影响： `SCALANCE W744-1, W746-1, W747-1 SCALANCE W744-1PRO, W746-1PRO, W747-1RR SCALANCE W784-1, W784-1RR SCALANCE W786-1PRO, W786-2PRO, W786-3PRO, W786-2RR SCALANCE W788-1PRO, W788-2PRO, W788-1RR, W788-2RR`

Siemens Scalance W7xx V4.5.4固件已经修复此漏洞，建议用户下载更新： http://support.automation.siemens.com/WW/view/en/77427398

JSON Vulners Source

Initial Source

{"type": "seebug", "viewCount": 7, "enchantments": {"score": {"value": 6.0, "vector": "NONE", "modified": "2017-11-19T12:26:40", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2013-4651"]}, {"type": "ics", "idList": ["ICSA-13-213-01"]}], "modified": "2017-11-19T12:26:40", "rev": 2}, "vulnersScore": 6.0}, "reporter": "\u5c27\u4e4b", "title": "Siemens Scalance W-700 \u7cfb\u5217\u8bbe\u5907SSL\u8bc1\u4e66\u6b3a\u9a97\u6f0f\u6d1e", "cvelist": ["CVE-2013-4651"], "bulletinFamily": "exploit", "sourceHref": "", "cvss": {"score": 6.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:PARTIAL/I:PARTIAL/A:COMPLETE/"}, "references": [], "enchantments_done": [], "modified": "2015-10-10T00:00:00", "description": "Siemens Scalance W-700\u7cfb\u5217\u5185\u7f6eSSL\u8bc1\u4e66\u6b3a\u9a97\u6f0f\u6d1e\r\n\r\nCNVD-ID\tCNVD-2013-11278\r\nCVE-ID:\tCVE-2013-4651 \r\n\r\n\u5728\u5173\u4e8e\u62c5\u4fdd\u7684\u7ba1\u7406 web \u754c\u9762\u548c\u547d\u4ee4\u884c\u7ba1\u7406\u754c\u9762\u4e2d\u7684\u8eab\u4efd\u9a8c\u8bc1\u65c1\u8def\u786c\u7f16\u7801\u7684 SSL \u8bc1\u4e66\u7684\u897f\u95e8\u5b50 Scalance W7xx (IEEE 802.11a/b/g) \u4ea7\u54c1\u7cfb\u5217\u3002Siemens Scalance W-700 Series\u662f\u897f\u95e8\u5b50\u5f00\u53d1\u7684\u5de5\u4e1a\u65e0\u7ebf\u4ea4\u6362\u673a\u8bbe\u5907\u3002\r\n\r\nSiemens Scalance W-700\u7cfb\u5217\u8bbe\u5907\u8bbe\u5907\u5185\u7f6e\u7684SSL\u8bc1\u4e66\uff0c\u4e0d\u80fd\u901a\u8fc7\u7ba1\u7406\u63a5\u53e3\u6765\u66f4\u6362\u8be5\u8bc1\u4e66\uff0c\u5141\u8bb8\u653b\u51fb\u8005\u901a\u8fc7\u4e2d\u95f4\u4eba\u653b\u51fb\u83b7\u53d6\u654f\u611f\u4fe1\u606f\u3002 \r\n\u5982\u4e0b\u56fa\u4ef6\u7248\u672c < v4.5.4\u7684\u652f\u6301IEEE 802.11a/b/g\u7684\u8bbe\u5907\u53d7\u6b64\u6f0f\u6d1e\u5f71\u54cd\uff1a\r\n``` \r\nSCALANCE W744-1, W746-1, W747-1 \r\nSCALANCE W744-1PRO, W746-1PRO, W747-1RR \r\nSCALANCE W784-1, W784-1RR \r\nSCALANCE W786-1PRO, W786-2PRO, W786-3PRO, W786-2RR \r\nSCALANCE W788-1PRO, W788-2PRO, W788-1RR, W788-2RR\r\n```\r\n\r\nSiemens Scalance W7xx V4.5.4\u56fa\u4ef6\u5df2\u7ecf\u4fee\u590d\u6b64\u6f0f\u6d1e\uff0c\u5efa\u8bae\u7528\u6237\u4e0b\u8f7d\u66f4\u65b0\uff1a \r\nhttp://support.automation.siemens.com/WW/view/en/77427398", "href": "https://www.seebug.org/vuldb/ssvid-89662", "id": "SSV:89662", "status": "cve,details", "lastseen": "2017-11-19T12:26:40", "sourceData": "", "published": "2015-10-10T00:00:00"}

{"cve": [{"lastseen": "2020-12-09T19:52:45", "description": "Siemens Scalance W7xx devices with firmware before 4.5.4 use the same hardcoded X.509 certificate across different customers' installations, which makes it easier for remote attackers to conduct man-in-the-middle attacks against SSL sessions by leveraging the certificate's trust relationship.", "edition": 5, "cvss3": {}, "published": "2013-08-01T13:32:00", "title": "CVE-2013-4651", "type": "cve", "cwe": ["CWE-255"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 4.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "HIGH", "confidentialityImpact": "PARTIAL", "availabilityImpact": "COMPLETE", "integrityImpact": "PARTIAL", "baseScore": 6.6, "vectorString": "AV:N/AC:H/Au:N/C:P/I:P/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 8.5, "obtainUserPrivilege": false}, "cvelist": ["CVE-2013-4651"], "modified": "2013-08-01T13:32:00", "cpe": ["cpe:/h:siemens:scalance_w744-1:-", "cpe:/h:siemens:scalance_w784-1rr:-", "cpe:/h:siemens:scalance_w786-2rr:-", "cpe:/h:siemens:scalance_w788-1rr:-", "cpe:/h:siemens:scalance_w788-2pro:-", "cpe:/h:siemens:scalance_w788-1pro:-", "cpe:/h:siemens:scalance_w786-2pro:-", "cpe:/h:siemens:scalance_w747-1:-", "cpe:/h:siemens:scalance_w746-1:-", "cpe:/h:siemens:scalance_w786-3pro:-", "cpe:/h:siemens:scalance_w786-1pro:-", "cpe:/h:siemens:scalance_w747-1rr:-", "cpe:/h:siemens:scalance_w788-2rr:-", "cpe:/h:siemens:scalance_w744-1pro:-", "cpe:/h:siemens:scalance_w746-1pro:-", "cpe:/h:siemens:scalance_w784-1:-", "cpe:/o:siemens:scalance_w700_series_firmware:4.4.0"], "id": "CVE-2013-4651", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4651", "cvss": {"score": 6.6, "vector": "AV:N/AC:H/Au:N/C:P/I:P/A:C"}, "cpe23": ["cpe:2.3:h:siemens:scalance_w788-1rr:-:*:*:*:*:*:*:*", "cpe:2.3:h:siemens:scalance_w784-1rr:-:*:*:*:*:*:*:*", "cpe:2.3:h:siemens:scalance_w744-1pro:-:*:*:*:*:*:*:*", "cpe:2.3:o:siemens:scalance_w700_series_firmware:4.4.0:*:*:*:*:*:*:*", "cpe:2.3:h:siemens:scalance_w786-1pro:-:*:*:*:*:*:*:*", "cpe:2.3:h:siemens:scalance_w786-2pro:-:*:*:*:*:*:*:*", "cpe:2.3:h:siemens:scalance_w784-1:-:*:*:*:*:*:*:*", "cpe:2.3:h:siemens:scalance_w746-1pro:-:*:*:*:*:*:*:*", "cpe:2.3:h:siemens:scalance_w788-1pro:-:*:*:*:*:*:*:*", "cpe:2.3:h:siemens:scalance_w786-2rr:-:*:*:*:*:*:*:*", "cpe:2.3:h:siemens:scalance_w788-2rr:-:*:*:*:*:*:*:*", "cpe:2.3:h:siemens:scalance_w744-1:-:*:*:*:*:*:*:*", "cpe:2.3:h:siemens:scalance_w747-1rr:-:*:*:*:*:*:*:*", "cpe:2.3:h:siemens:scalance_w746-1:-:*:*:*:*:*:*:*", "cpe:2.3:h:siemens:scalance_w788-2pro:-:*:*:*:*:*:*:*", "cpe:2.3:h:siemens:scalance_w747-1:-:*:*:*:*:*:*:*", "cpe:2.3:h:siemens:scalance_w786-3pro:-:*:*:*:*:*:*:*"]}], "ics": [{"lastseen": "2020-12-18T03:22:17", "bulletinFamily": "info", "cvelist": ["CVE-2013-4651", "CVE-2013-4652"], "description": "## OVERVIEW\n\nSiemens has identified multiple vulnerabilities in the Siemens Scalance W-7xx product family and reported them to ICS-CERT. A software update has been produced by Siemens that mitigates these vulnerabilities. Siemens has tested the software update to validate that it resolves the vulnerabilities. Exploitation of these vulnerabilities could allow a man-in-the-middle attack or the ability to gain complete control of the system.\n\nThese vulnerabilities could be exploited remotely.\n\n## AFFECTED PRODUCTS\n\nFirmware Version V4.5.4 and earlier are affected for the following Siemens Scalance W-7xx product family supporting IEEE 802.11a/b/g:\n\n * SCALANCE W744-1, W746-1, W747-1;\n * SCALANCE W744-1PRO, W746-1PRO, W747-1RR;\n * SCALANCE W784-1, W784-1RR;\n * SCALANCE W786-1PRO, W786-2PRO, W786-3PRO, W786-2RR; and\n * SCALANCE W788-1PRO, W788-2PRO, W788-1RR, W788-2RR.\n\nAlternately, the affected products may be identified by using their MLFB. Products with the following MLFBs are affected (\u201cx\u201d represents a wild-card symbol):\n\n * 6GK5 7xx-xAxx0-xAx0;\n * 6GK5 7xx-xBxx0-xAx0; and\n * 6GK5 746-1AA60-4BA0.\n\n## IMPACT\n\nSuccessful exploitation of these vulnerabilities may result in an attacker being able to perform a man-in-the-middle attack or gain complete control of the system.\n\nImpact to individual organizations depends on many factors that are unique to each organization. ICS\u2011CERT recommends that organizations evaluate the impact of these vulnerabilities based on their operational environment, architecture, and product implementation.\n\n## BACKGROUND\n\nSiemens is a multinational company headquartered in Munich, Germany.\n\nThe affected products, Siemens Scalance W7xx product family, are wireless communication devices that are for both noncritical communication and process-critical data. Siemens develops products mainly in the energy, transportation, and healthcare sectors. The devices are used where mobility of machines and parts is required, or cable installation is not practical.\n\n## VULNERABILITY CHARACTERIZATION\n\n### VULNERABILITY OVERVIEW\n\n### KEY MANAGEMENT ERRORSa\n\nThe Siemens Scalance W-7xx product family uses a hard-coded SSL certificate for secure communication with the management Web interface (HTTPS). It is not possible to change this certificate using the management Web interfaces. This could allow the attacker to perform man\u2011in-the-middle attacks.\n\nCVE-2013-4651b has been assigned to this vulnerability. A CVSS v2 base score of 6.6 has been assigned by the vendor; the CVSS vector string is (AV:N/AC:H/Au:N/C:P/I:P/A:C).c\n\n### IMPROPER AUTHENTICATIONd\n\nThe Siemens Scalance W-7xx product family has implemented a command-line based management interface that contains a vulnerability allowing attackers to gain complete system access over the network without authentication. This affects protocols SSH (Port 22/TCP) and telnet (Port 23/TCP).\n\nCVE-2013-4652e has been assigned to this vulnerability. A CVSS v2 base score of 10.0 has been assigned by the vendor; the CVSS vector string is (AV:N/AC:L/Au:N/C:C/I:C/A:C).f\n\n### VULNERABILITY DETAILS\n\n#### EXPLOITABILITY\n\nThese vulnerabilities could be exploited remotely.\n\n#### EXISTENCE OF EXPLOIT\n\nNo known public exploits specifically target these vulnerabilities.\n\n#### DIFFICULTY\n\nAn attacker with a low to high skill would be able to exploit these vulnerabilities.\n\n## MITIGATION\n\nSiemens has produced a software update that resolves these vulnerabilities. The update can be applied to all versions of Scalance. Siemens recommends that asset owners and operators contact Siemens customer support to acquire the update.\n\nSiemens update information is located here:\n\n<http://support.automation.siemens.com/WW/view/en/77427398>\n\nSiemens security advisory is located here:\n\n<http://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-120908.pdf>\n\nICS\u2011CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.\n\n * Minimize network exposure for all control system devices. Critical devices should not directly face the Internet.\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.\n\nICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT Web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.g ICS\u2011CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.\n\nAdditional mitigation guidance and recommended practices are publicly available in the ICS\u2011CERT Technical Information Paper, ICS-TIP-12-146-01B\u2014Targeted Cyber Intrusion Detection and Mitigation Strategies,h that is available for download from the ICS-CERT Web page (http://ics-cert.us-cert.gov/).\n\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS\u2011CERT for tracking and correlation against other incidents.\n\n * a. CWE-320: Key Management Errors, http://cwe.mitre.org/data/definitions/320.html, Web site last accessed August 01, 2013.\n * b. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4651 , NIST uses this advisory to create the CVE Web site report. This Web site will be active sometime after publication of this advisory.\n * c. CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:H/Au:N/C:P/I:P/A:C, Web site last accessed August 01, 2013.\n * d. CWE-287: Improper Authentication, http://cwe.mitre.org/data/definitions/287.html, Web site last accessed August 01, 2013.\n * e. NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4652 , NIST uses this advisory to create the CVE Web site report. This Web site will be active sometime after publication of this advisory.\n * f. CVSS Calculator, http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:L/Au:N/C:C/I:C/A:C, Web site last accessed August 01, 2013.\n * g. CSSP Recommended Practices, http://ics-cert.us-cert.gov/content/recommended-practices, Web site last accessed August 01, 2013.\n * h. Targeted Cyber Intrusion Detection and Mitigation Strategies, http://ics-cert.us-cert.gov/tips/ICS-TIP-12-146-01B, Web site last accessed August 01, 2013.\n\n## \nContact Information\n\nFor any questions related to this report, please contact the CISA at: \n \nEmail: [CISAservicedesk@cisa.dhs.gov](<mailto:cisaservicedesk@cisa.dhs.gov>) \nToll Free: 1-888-282-0870\n\nFor industrial control systems cybersecurity information: https://us-cert.cisa.gov/ics \nor incident reporting: https://us-cert.cisa.gov/report\n\nCISA continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.\n\nThis product is provided subject to this Notification and this [Privacy & Use](<https://www.dhs.gov/privacy-policy>) policy.\n\n**Please share your thoughts.**\n\nWe recently updated our anonymous [product survey](<https://surveymonkey.com/r/G8STDRY?product=https://us-cert.cisa.gov/ics/advisories/ICSA-13-213-01>); we'd welcome your feedback.\n", "edition": 15, "modified": "2013-08-02T00:00:00", "published": "2013-08-01T00:00:00", "id": "ICSA-13-213-01", "href": "https://www.us-cert.gov//ics/advisories/ICSA-13-213-01", "title": "Siemens Scalance W-7xx Product Family Multiple Vulnerabilities", "type": "ics", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}