Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2022.1715
Advisory (icsa-22-104-04) Siemens SCALANCE FragAttacks
20 April 2022
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Siemens SCALANCE FragAttacks
Publisher: ICS-CERT
Operating System: Network Appliance
Resolution: Patch/Upgrade
CVE Names: CVE-2020-26147 CVE-2020-26146 CVE-2020-26145
CVE-2020-26144 CVE-2020-26143 CVE-2020-26141
CVE-2020-26140 CVE-2020-26139 CVE-2020-24588
Original Bulletin:
https://us-cert.cisa.gov/ics/advisories/icsa-22-104-04
Comment: CVSS (Max): 6.5 CVE-2020-26140 (CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVSS Source: ICS-CERT
Calculator: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
- --------------------------BEGIN INCLUDED TEXT--------------------
ICS Advisory (ICSA-22-104-04)
Siemens SCALANCE FragAttacks
Original release date: April 14, 2022
Legal Notice
All information products included in https://us-cert.cisa.gov/ics are provided
"as is" for informational purposes only. The Department of Homeland Security
(DHS) does not provide any warranties of any kind regarding any information
contained within. DHS does not endorse any commercial product or service,
referenced in this product or otherwise. Further dissemination of this product
is governed by the Traffic Light Protocol (TLP) marking in the header. For more
information about TLP, see https://us-cert.cisa.gov/tlp/ .
1. EXECUTIVE SUMMARY
o CVSS v3 6.5
o ATTENTION: Exploitable remotely/low attack complexity
o Vendor: Siemens
o Equipment: SCALANCE family devices
o Vulnerabilities: Improper Authentication, Injection, Improper Validation of
Integrity Check, Improper Input Validation
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker within
Wi-Fi range to forge encrypted frames, which could result in sensitive data
disclosure and traffic manipulation.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Siemens products are affected:
o SCALANCE W721-1 RJ45: All versions
o SCALANCE W722-1 RJ45: All versions
o SCALANCE W734-1 RJ45: All versions
o SCALANCE W738-1 M12: All versions
o SCALANCE W748-1 M12: All versions
o SCALANCE W738-1 RJ45: All versions
o SCALANCE W761-1 RJ45: All versions
o SCALANCE W774-1 M12 EEC: All versions
o SCALANCE W774-1 RJ45: All versions
o SCALANCE W778-1 M12 EEC: All versions
o SCALANCE W786-1 RJ45: All versions
o SCALANCE W786-2 RJ45: All versions
o SCALANCE W786-2 SFP: All versions
o SCALANCE W786-2IA RJ45: All versions
o SCALANCE W788-1 M12: All versions
o SCALANCE W788-1 RJ45: All versions
o SCALANCE W788-2 M12: All versions
o SCALANCE W788-1 M12 EEC: All versions
o SCALANCE W788-2 RJ45: All versions
o SCALANCE W1748-1 M12: All versions prior to v3.0.0
o SCALANCE W1750D M12: All versions prior to v8.7.1.3
o SCALANCE W1788-1 M12: All versions prior to v3.0.0
o SCALANCE W1788-2 EEC M12: All versions prior to v3.0.0
o SCALANCE W1788-2 M12: All versions prior to v3.0.0
o SCALANCE W1788-2IA M12: All versions prior to v3.0.0
o SCALANCE WAM766-1: All versions
o SCALANCE WAM766-1 EEC: All versions
o SCALANCE WUM763-1: All versions
o SCALANCE WUM766-1: All versions
3.2 VULNERABILITY OVERVIEW
3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3)
and Wired Equivalent Privacy (WEP) doesn't require the A-MSDU flag in the
plaintext QoS header field to be authenticated. Against devices that support
receiving non-SSP A-MSDU frames, which is mandatory as part of 802.11n, an
adversary can abuse this to inject arbitrary network packets.
CVE-2020-24588 has been assigned to this vulnerability. A CVSS v3 base score of
3.5 has been assigned; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:R/S:U/C:N/
I:L/A:N ).
3.2.2 IMPROPER AUTHENTICATION CWE-287
An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP)
forwards EAPOL frames to other clients even though the sender has not yet
successfully authenticated to the AP. This might be abused in projected Wi-Fi
networks to launch denial-of-service attacks against connected clients and
makes it easier to exploit other vulnerabilities in connected clients.
CVE-2020-26139 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been assigned; the CVSS vector string is ( AV:A/AC:H/PR:N/UI:N/S:U/C:N/
I:N/A:H ).
3.2.3 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN OUTPUT CWE-74
An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H.
The WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a
protected Wi-Fi network. An adversary can abuse this to inject arbitrary data
frames independent of the network configuration.
CVE-2020-26140 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:N/S:U/C:N/
I:H/A:N ).
3.2.4 IMPROPER VALIDATION OF INTEGRITY CHECK VALUE CWE-354
An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H.
The Wi-Fi implementation does not verify the Message Integrity Check
(authenticity) of fragmented TKIP frames. An adversary can abuse this to inject
and decrypt packets in WPA or WPA2 networks that support the TKIP
data-confidentiality protocol.
CVE-2020-26141 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:N/S:U/C:N/
I:H/A:N ).
3.2.5 IMPROPER INPUT VALIDATION CWE-20
An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for
AWUS036ACH. The WEP, WPA, WPA2, and WPA3 implementations accept fragmented
plaintext frames in a protected Wi-Fi network. An adversary can abuse this to
inject arbitrary data frames independent of the network configuration.
CVE-2020-26143 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:N/S:U/C:N/
I:H/A:N ).
3.2.6 IMPROPER INPUT VALIDATION CWE-20
An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA,
WPA2, and WPA3 implementations accept plaintext A-MSDU frames as long as the
first eight bytes correspond to a valid RFC1042 (i.e., LLC/SNAP) header for
EAPOL. An adversary can abuse this to inject arbitrary network packets
independent of the network configuration.
CVE-2020-26144 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:N/S:U/C:N/
I:H/A:N ).
3.2.7 IMPROPER INPUT VALIDATION CWE-20
An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA,
WPA2, and WPA3 implementations accept second (or subsequent) broadcast
fragments even when sent in plaintext and process them as full unfragmented
frames. An adversary can abuse this to inject arbitrary network packets
independent of the network configuration.
CVE-2020-26145 has been assigned to this vulnerability. A CVSS v3 base score of
6.5 has been assigned; the CVSS vector string is ( AV:A/AC:L/PR:N/UI:N/S:U/C:N/
I:H/A:N ).
3.2.8 IMPROPER INPUT VALIDATION CWE-20
An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA,
WPA2, and WPA3 implementations reassemble fragments with non-consecutive packet
numbers. An adversary can abuse this to exfiltrate selected fragments. This
vulnerability is exploitable when another device sends fragmented frames and
the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note WEP is
vulnerable to this attack by design.
CVE-2020-26146 has been assigned to this vulnerability. A CVSS v3 base score of
5.3 has been assigned; the CVSS vector string is ( AV:A/AC:H/PR:N/UI:N/S:U/C:N/
I:H/A:N ).
3.2.9 IMPROPER INPUT VALIDATION CWE-20
An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3
implementations reassemble fragments even though some of them were sent in
plaintext. This vulnerability can be abused to inject packets and/or exfiltrate
selected fragments when another device sends fragmented frames and the WEP,
CCMP, or GCMP data-confidentiality protocol is used.
CVE-2020-26147 has been assigned to this vulnerability. A CVSS v3 base score of
5.4 has been assigned; the CVSS vector string is ( AV:A/AC:H/PR:N/UI:R/S:U/C:L/
I:H/A:N ).
3.3 BACKGROUND
o CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors
o COUNTRIES/AREAS DEPLOYED: Worldwide
o COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER
Siemens reported these vulnerabilities to CISA.
4. MITIGATIONS
Siemens recommends updating their software to the latest version where
available:
o SCALANCE W1748-1 M12: Update to v3.0.0 or later
o SCALANCE W1750D M12: Update to v8.7.1.3 or later
o SCALANCE W1788-1 M12: Update to v3.0.0 or later
o SCALANCE W1788-2 EEC M12: Update to v3.0.0 or later
o SCALANCE W1788-2 M12: Update to v3.0.0 or later
o SCALANCE W1788-2IA M12: Update to v3.0.0 or later
o SCALANCE WAM766-1: Update to v1.2 or later
o SCALANCE WAM766-1 EEC: Update to v1.2 or later
o SCALANCE WUM763-1: Update to v1.2 or later
o SCALANCE WUM766-1: Update to v1.2 or later
Siemens has identified the following specific workarounds and mitigations users
can apply to reduce the risk:
o As these vulnerabilities can only be exploited within Wi-Fi range, when
possible reduce Wi-Fi transmission power or make sure to have the devices
in private areas with physical access controls
o When possible, A-MSDU can be disabled to mitigate CVE-2020-24588 and
CVE-2020-26144
For more details regarding the FragAttacks vulnerabilities refer to:
o Fragment and Forge Breaking Wi-Fi Through Frame Aggregation and
Fragmentation
As a general security measure, Siemens strongly recommends protecting network
access to devices with appropriate mechanisms. In order to operate the devices
in a protected IT environment, Siemens recommends users configure the
environment according to the Siemens operational guidelines for industrial
security and follow the recommendations in the product manuals.
For additional information, please refer to Siemens Security Advisory
SSA-913875
CISA recommends users take defensive measures to minimize the risk of
exploitation of this vulnerability. Specifically, users should:
o Minimize network exposure for all control system devices and/or systems,
and ensure they are not accessible from the Internet .
o Locate control system networks and remote devices behind firewalls and
isolate them from the business network.
o When remote access is required, use secure methods, such as Virtual Private
Networks (VPNs), recognizing VPNs may have vulnerabilities and should be
updated to the most current version available. Also recognize VPN is only
as secure as its connected devices.
CISA reminds organizations to perform proper impact analysis and risk
assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices
on the ICS webpage on cisa.gov . Several recommended practices are available
for reading and download, including Improving Industrial Control Systems
Cybersecurity with Defense-in-Depth Strategies .
Additional mitigation guidance and recommended practices are publicly available
on the ICS webpage on cisa.gov in the Technical Information Paper,
ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation
Strategies .
Organizations observing any suspected malicious activity should follow their
established internal procedures and report their findings to CISA for tracking
and correlation against other incidents.
No known public exploits specifically target these vulnerabilities.
For any questions related to this report, please contact the CISA at:
Email: CISAservicedesk@cisa.dhs.gov
Toll Free: 1-888-282-0870
CISA continuously strives to improve its products and services. You can help by
choosing one of the links below to provide feedback about this product.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYl+ZguNLKJtyKPYoAQigWw/+Peivv5zbvGY5M1jhHDTW2cbOuSb9xGiZ
3OItKzD2aoFb/REKgdgldY9Mupk/s3wZ+kGT8wbFPQEkDmNhsSfXPRuO217TKfcC
CDngb+/hl9Dw/Yo9L74C51g0nOI4EgnlYh0ahCFsDG5KceuVLt2viZ7mqU9SUKLQ
R0jSaNCHJuqbWv2zLJ4K43R4HJCwC4smX1ENp0b8O2gL66jrC5TjICw7eFU0s7rV
gfrNjk12ETMmXmmULDmNz8qo68+yQdxHt2uDWEKrsZ129c6lZxWsNFO1IkYYDg6Z
jy2JSWmgwLxWtmhVXAeklhM/YuCXzNNNjZKRcKdagS9b1A5vrFrQfL9rEvujJkpq
DKkGtmhnqCdrDUuz/z/l/5jpF5KQhZezB37IEb007OBXndTZCvyATRGKTTN7uTo2
8sRd+EYAqpcMlo13yO17jiL6ZYSxn1aBz8WYfjtbi2cgIz4ZXb63cRMkhXSjCn9Y
SOiAQPk1D10JVgQEAES9EMlXwu0mrnfwuOPJlHVvqN15l5lK+/pQP1n3Iblo+Iaz
jV/vV0KEk1ny85sjxXBBdgWElJz47BbdShwHHts9Hz4D5ed4NwjpUEXlf1ApQaTh
5EsSnMjotNq9soQBXHDmcQqcbxnY56TUZ1iYWTqMNS3e/R2OgTwSk4rBX8ziw0hT
Ompnn5g4sA4=
=q94g
-----END PGP SIGNATURE-----