OTPulse
FeedAboutContact

Multiple Denial Of Service Vulnerabilities in SCALANCE W1700 Devices

Plan Patch7.4SSA-392912Apr 12, 2022
Attack VectorAdjacent
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

Multiple denial of service vulnerabilities exist in SCALANCE W1700 series wireless access points (11ac family) that could allow an attacker to cause the device to become unresponsive or restart. The vulnerabilities stem from improper input validation (CWE-20) and race conditions (CWE-362). Affected models include SCALANCE W1788-1 M12, W1788-2 EEC M12, W1788-2 M12, and W1788-2IA M12 devices running firmware versions earlier than V3.0.0.

What this means
What could happen
An attacker could crash or freeze SCALANCE W1700 wireless access points, disrupting network connectivity for field devices and remote monitoring systems on your plant network. This could prevent communication to/from PLCs, RTUs, and HMI systems.
Who's at risk
Water utilities, electric utilities, and other municipalities using SCALANCE W1700 11ac wireless access points for field communications. These devices are typically used to connect mobile devices, portable instruments, and remote sensors on plant floors and distribution networks. Affects: SCALANCE W1788-1 M12, W1788-2 EEC M12, W1788-2 M12, and W1788-2IA M12 models.
How it could be exploited
An attacker with access to the same network segment (plant floor or adjacent network) could send specially crafted packets to the wireless access point to trigger a denial of service condition, causing the device to become unresponsive or restart.
Prerequisites
  • Network access to the SCALANCE W1700 device (same VLAN or adjacent network segment)
  • No authentication required
  • Device running firmware version earlier than V3.0.0
remotely exploitableno authentication requiredlow complexity attackaffects network availabilitywireless access point in OT environment
Exploitability
Low exploit probability (EPSS 0.5%)
Affected products (4)
4 with fix
ProductAffected VersionsFix Status
SCALANCE W1788-1 M12< V3.0.03.0.0
SCALANCE W1788-2 EEC M12< V3.0.03.0.0
SCALANCE W1788-2 M12< V3.0.03.0.0
SCALANCE W1788-2IA M12< V3.0.03.0.0
Remediation & Mitigation
0/3
Do now
0/1
HARDENINGIsolate SCALANCE W1700 wireless access points on a separate management network with restricted access controls if immediate patching is not possible
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

SCALANCE W1788-1 M12
HOTFIXUpdate SCALANCE W1788-1 M12, W1788-2 EEC M12, W1788-2 M12, and W1788-2IA M12 devices to firmware version V3.0.0 or later
Long-term hardening
0/1
HARDENINGImplement network access controls (firewall rules, port filtering) to limit which devices can reach the management interfaces of SCALANCE W1700 devices
View full Siemens ProductCERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/f7ed769b-bbe2-4cd9-ad19-8b4acc3db3fc
Multiple Denial Of Service Vulnerabilities in SCALANCE W1700 Devices | CVSS 7.4 - OTPulse