Siemens SCALANCE W1750D, M800, S615, and RUGGEDCOM RM1224 (Update C)

Act NowCVSS 8.1ICS-CERT ICSA-17-332-01Nov 17, 2017

Siemens

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Multiple Siemens industrial networking devices contain buffer overflow and integer underflow vulnerabilities in DNS proxy functionality. Affected products are SCALANCE W1750D wireless controller, SCALANCE M-800 and S615 industrial Ethernet switches, and RUGGEDCOM RM1224 wireless access point. The vulnerabilities exist in versions prior to v5.0 (M800/S615/RM1224) and v6.5.1.5 (W1750D). Remote attackers can send crafted DNS packets to port 53/UDP to trigger the vulnerabilities, potentially leading to code execution, authentication bypass, or denial of service.

What this means

What could happen

An attacker with network access could exploit DNS proxy functionality to bypass authentication, execute code, or cause a denial of service on industrial switches and wireless controllers. This could interrupt communications between PLCs and remote sites, disrupt remote monitoring, or enable lateral movement within the control network.

Who's at risk

Water and utility operators using Siemens SCALANCE W1750D wireless controllers, SCALANCE M-800 or S615 industrial Ethernet switches, or RUGGEDCOM RM1224 wireless access points should prioritize patching. These devices are commonly deployed for remote site connectivity, SCADA communications, and field device management in power distribution, water treatment, and pipeline systems.

How it could be exploited

An attacker sends specially crafted packets to the DNS proxy service listening on port 53/UDP. The device fails to properly validate input, allowing the attacker to trigger a buffer overflow or integer underflow condition. This could lead to code execution on the device, allowing the attacker to modify network routing, intercept traffic, or shut down the device.

Prerequisites

Network access to affected device on port 53/UDP
Device running vulnerable firmware version (before 5.0 for M800/S615/RM1224, before 6.5.1.5 for W1750D)
DNS proxy functionality enabled on the device

Remotely exploitableHigh EPSS score (79.3%)Low attack complexityAffects multiple critical industrial protocols (DNS, potential lateral movement vector)No authentication required for exploitation

Exploitability

Likely to be exploited — EPSS score 79.3%

Public Proof-of-Concept (PoC) on GitHub (1 repository)

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

RUGGEDCOM RM1224: All<V5.05.0

SCALANCE M-800 / S615: All<V5.05.0

SCALANCE W1750D: All<V6.5.1.56.5.1.5

Remediation & Mitigation

0/7

Do now

0/2

WORKAROUNDIf unable to patch immediately, disable DNS proxy on SCALANCE M800/S615 in device configuration (System > DNS > DNS Proxy > uncheck Enable DNS Proxy) and configure internal devices to use alternative DNS server

WORKAROUNDFor SCALANCE W1750D, if OpenDNS, Captive Portal, or URL redirection features are not in use, configure device firewall rules to block inbound access on port 53/UDP

Schedule — requires maintenance window

0/3

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SCALANCE W1750D to firmware v6.5.1.5-4.3.1.8 or later

HOTFIXUpdate SCALANCE M800 and S615 to firmware v5.0 or later

HOTFIXUpdate RUGGEDCOM RM1224 to firmware v5.0 or later

Long-term hardening

0/2

HARDENINGSegment industrial network from business network with firewall; do not expose control system devices directly to the Internet

HARDENINGImplement network access controls to restrict which internal devices can reach management interfaces of switches and wireless controllers

CVEs (4)

CVE-2017-13704 CVE-2017-14491 CVE-2017-14495 CVE-2017-14496

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8ff8ce9b-ff81-4600-a0a5-bd2cc1cf8a4e

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.