Siemens SCALANCE W1750D

Act Now9.8ICS-CERT ICSA-23-285-02Oct 10, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The SCALANCE W1750D wireless access point contains multiple input validation vulnerabilities (CWE-120 buffer overflow, CWE-20 improper input validation, CWE-77 command injection, CWE-200 information disclosure) in its management interfaces. These allow unauthenticated remote attackers to inject commands, exploit buffer overflows, or trigger denial of service. Vulnerable versions: all firmware versions before 8.10.0.6.

What this means

What could happen

An attacker with network access could inject commands or trigger buffer overflows on the SCALANCE W1750D wireless access point, potentially allowing remote code execution, information disclosure, or denial of service without authentication. This could disrupt communication between networked industrial devices and field equipment in your facility.

Who's at risk

Network managers and industrial automation operators using Siemens SCALANCE W1750D wireless access points in industrial facilities. These devices commonly connect field PLCs, sensors, and remote equipment in water utilities, electric utilities, manufacturing plants, and other industrial automation environments. Any facility relying on wireless connectivity for critical industrial processes is affected.

How it could be exploited

An attacker on the network can send specially crafted packets to the device's management interfaces (command line interface, web interface, or UDP port 8211) without credentials. The device fails to properly validate input, allowing command injection or buffer overflow. This leads to code execution on the device itself, which can then be used as a pivot point to attack other systems on your industrial network.

Prerequisites

Network access to the SCALANCE W1750D device (or reachability via routed networks)
Access to the device's management interfaces: command line interface port, web management port, or UDP port 8211
No credentials required

Remotely exploitableNo authentication requiredLow complexity attackAffects industrial network infrastructureCritical CVSS (9.8)Vendor patch available

Exploitability

Moderate exploit probability (EPSS 1.3%)

Affected products (3)

3 with fix

ProductAffected VersionsFix Status

SCALANCE W1750D (JP)<V8.10.0.68.10.0.6

SCALANCE W1750D (ROW)<V8.10.0.68.10.0.6

SCALANCE W1750D (USA)<V8.10.0.68.10.0.6

Remediation & Mitigation

0/5

Do now

0/3

WORKAROUNDBlock inbound access to UDP port 8211 from untrusted networks using firewall rules

WORKAROUNDRestrict access to the command line interface and web-based management interfaces to a dedicated VLAN (layer 2 segment) or control via layer 3 firewall policies

WORKAROUNDEnable cluster-security via the cluster-security command on the device

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate SCALANCE W1750D firmware to version 8.10.0.6 or later

Long-term hardening

0/1

HARDENINGSegment the network so industrial devices are isolated from untrusted networks using firewalls and VLANs

CVEs (13)

CVE-2023-22779 CVE-2023-22780 CVE-2023-22781 CVE-2023-22782 CVE-2023-22783 CVE-2023-22784 CVE-2023-22785 CVE-2023-22786 CVE-2023-22787 CVE-2023-22788 CVE-2023-22789 CVE-2023-22790 CVE-2023-22791

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/e7037068-85e4-494f-8e1e-a9c03debaebc