Siemens SCALANCE FragAttacks

Monitor6.5ICS-CERT ICSA-22-104-04Jul 13, 2021

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

FragAttacks are twelve vulnerabilities in 802.11 frame aggregation and fragmentation implementation affecting Siemens SCALANCE wireless devices. An attacker within Wi-Fi range can forge encrypted frames, leading to sensitive data disclosure and traffic manipulation. The advisory lists affected SCALANCE W1xxx, W7xx, W8xx, WAM, and WUM series devices across multiple regional variants. Some models have firmware fixes available (v3.0.0, v8.7.1.3, or v1.2.0 depending on product); however, many older SCALANCE models (W7xx, W8xx series) are end-of-life with no patch available. Siemens recommends updating to latest firmware versions where available and implementing physical and RF mitigation controls for devices without fixes.

What this means

What could happen

An attacker within Wi-Fi range could forge encrypted frames on Siemens SCALANCE wireless devices, allowing them to intercept sensitive data or manipulate network traffic. Depending on what data flows through the affected wireless access point, this could expose process measurements, commands, or credentials used to control plant equipment.

Who's at risk

This vulnerability affects Siemens SCALANCE wireless access points and wireless modules used in transportation systems and industrial facilities. Organizations using W7xx, W8xx (no fix available), WAM, or WUM series devices for plant network connectivity should prioritize this. If your facility uses these devices to connect engineering workstations, RTUs, or other control equipment to the network, your automation systems are at risk.

How it could be exploited

An attacker positioned within Wi-Fi range of a vulnerable SCALANCE device exploits frame aggregation and fragmentation flaws in the 802.11 standard implementation to forge encrypted frames. By crafting malicious frames, the attacker can inject traffic into the wireless link, decrypt legitimate frames, or redirect data without authentication. No credentials or special configuration are required beyond proximity to the network.

Prerequisites

Physical proximity to the wireless network (within Wi-Fi range)
No authentication credentials required
Standard Wi-Fi capable attacker equipment

Remotely exploitable (requires only Wi-Fi range, not Internet routing)No authentication requiredLow complexity attackLarge portion of product line has no patch availableAffects data integrity and confidentiality of wireless communications

Exploitability

Moderate exploit probability (EPSS 4.3%)

Affected products (39)

16 with fix23 pending

ProductAffected VersionsFix Status

SCALANCE W1748-1 M12<V3.0.03.0.0

SCALANCE W1750D (JP)<V8.7.1.38.7.1.3

SCALANCE W1750D (ROW)<V8.7.1.38.7.1.3

SCALANCE W1750D (USA)<V8.7.1.38.7.1.3

SCALANCE W1788-1 M12<V3.0.03.0.0

Remediation & Mitigation

0/14

Do now

0/2

WORKAROUNDReduce Wi-Fi transmission power on affected devices or physically restrict device placement to secure, controlled-access areas to limit attacker proximity

WORKAROUNDDisable A-MSDU (Aggregate MAC Service Data Unit) on affected devices if supported to mitigate CVE-2020-24588 and CVE-2020-26144

Schedule — requires maintenance window

0/10

Patching may require device reboot — plan for process interruption

Long-term hardening

0/2

HARDENINGImplement Wi-Fi network segmentation and isolation from business networks; route traffic through firewall-protected networks with network access controls

HARDENINGMonitor and restrict physical access to areas where SCALANCE devices are deployed to prevent attacker proximity

CVEs (9)

CVE-2020-24588 CVE-2020-26139 CVE-2020-26140 CVE-2020-26141 CVE-2020-26143 CVE-2020-26144 CVE-2020-26145 CVE-2020-26146 CVE-2020-26147

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close