Siemens SCALANCE W1700

Plan Patch7.4ICS-CERT ICSA-22-104-08Apr 12, 2022

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

Multiple vulnerabilities (CWE-362 race condition and CWE-20 improper input validation) exist in the SCALANCE W1700 (11ac) family of wireless access points that allow remote attackers on the local network to cause denial of service conditions. An attacker can trigger crashes or unresponsiveness without credentials or user interaction, potentially disrupting connectivity to field devices and control systems that depend on these devices for wireless access.

What this means

What could happen

An attacker on the same local network could cause the SCALANCE W1700 wireless access point to become unresponsive or reboot, disrupting network connectivity to field devices and control systems that depend on it.

Who's at risk

Water utilities, electric utilities, and manufacturing facilities that use Siemens SCALANCE W1700 series wireless access points (W1788-1, W1788-2, W1788-2 EEC, W1788-2IA variants) for remote access to field devices, PLCs, or other industrial equipment on local area networks.

How it could be exploited

An attacker with access to the local network segment (Ethernet or Wi-Fi) where the SCALANCE W1700 is operating could send specially crafted network packets to trigger the denial of service condition, causing the device to crash or stop responding without needing credentials or user interaction.

Prerequisites

Access to the local network segment (L2/L3) where the SCALANCE W1700 wireless access point is deployed
No authentication credentials required
No special configuration required

Remotely exploitable from local networkNo authentication requiredLow complexity attackAffects network availabilityPotential impact on safety-critical systems if network connectivity is essential

Exploitability

Low exploit probability (EPSS 0.5%)

Affected products (4)

4 with fix

ProductAffected VersionsFix Status

SCALANCE W1788-1 M12<V3.0.03.0.0

SCALANCE W1788-2 EEC M12<V3.0.03.0.0

SCALANCE W1788-2 M12<V3.0.03.0.0

SCALANCE W1788-2IA M12<V3.0.03.0.0

Remediation & Mitigation

0/7

Do now

0/1

WORKAROUNDRestrict network access to the SCALANCE W1700 devices using firewall rules and access control lists; ensure they are not accessible from untrusted networks or the Internet

Schedule — requires maintenance window

0/4

Patching may require device reboot — plan for process interruption

SCALANCE W1788-1 M12

HOTFIXUpdate SCALANCE W1788-1 M12 to firmware version 3.0.0 or later

SCALANCE W1788-2 EEC M12

HOTFIXUpdate SCALANCE W1788-2 EEC M12 to firmware version 3.0.0 or later

SCALANCE W1788-2 M12

HOTFIXUpdate SCALANCE W1788-2 M12 to firmware version 3.0.0 or later

SCALANCE W1788-2IA M12

HOTFIXUpdate SCALANCE W1788-2IA M12 to firmware version 3.0.0 or later

Long-term hardening

0/2

HARDENINGIsolate SCALANCE W1700 devices on a dedicated industrial network segment separated from the corporate IT network

HARDENINGIf remote access to the SCALANCE W1700 is required, implement secure remote access methods such as a VPN with current security updates

CVEs (3)

CVE-2022-27481 CVE-2022-28328 CVE-2022-28329

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/6712bee0-357d-4507-9396-b55645d01cbf