Wi-Fi Encryption Bypass Vulnerabilities in SCALANCE W700 Product Family
Plan Patch8.4SSA-457702Nov 14, 2023
Attack VectorAdjacent
Auth RequiredLow
ComplexityLow
User InteractionRequired
Summary
SCALANCE W700 family devices are vulnerable to Wi-Fi encryption bypass attacks known as "Framing Frames" that exploit weaknesses in how the devices handle encrypted wireless traffic. An attacker within Wi-Fi range could disclose sensitive information transmitted over the wireless network, hijack user sessions, or execute denial-of-service attacks against devices communicating through the affected wireless access points.
What this means
What could happen
An attacker within Wi-Fi range could bypass encryption on SCALANCE W700 wireless access points and switches, allowing them to intercept sensitive network traffic, hijack authenticated sessions, or disrupt wireless connectivity to production equipment.
Who's at risk
Water and electric utilities using SCALANCE W700 series wireless access points or industrial switches for remote monitoring, field device connectivity, or backup communications. Also affects any facility with SCALANCE WAM or WUM wireless access modules that depend on Wi-Fi for ICS network connectivity.
How it could be exploited
An attacker positioned within Wi-Fi range of a SCALANCE W700 device uses frame manipulation techniques ("Framing Frames") to bypass the device's encryption. Once encryption is circumvented, the attacker can passively monitor Wi-Fi traffic between the device and connected clients, or actively interfere with communications to cause denial of service or session hijacking.
Prerequisites
- Physical or RF proximity to the Wi-Fi network broadcast by the SCALANCE W700 device
- User must be authenticated to the Wi-Fi network or the attacker can target unauthenticated communications
- Device must have Wi-Fi enabled and broadcasting
Remotely exploitable via Wi-FiNo authentication required to exploit (attacker only needs RF range)Low attack complexityNo patch available from vendorAffects wireless infrastructure supporting critical operationsEncryption bypass enables further attacks
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (36)
36 pending
ProductAffected VersionsFix Status
SCALANCE W721-1 RJ45All versionsNo fix yet
SCALANCE W722-1 RJ45All versionsNo fix yet
SCALANCE W734-1 RJ45All versionsNo fix yet
SCALANCE W734-1 RJ45 (USA)All versionsNo fix yet
SCALANCE W738-1 M12All versionsNo fix yet
Remediation & Mitigation
0/6
Do now
0/2HARDENINGImplement network segmentation to restrict Wi-Fi access to trusted clients only; use MAC address filtering and SSID hiding where supported
WORKAROUNDDisable Wi-Fi on SCALANCE W700 devices if wired connectivity is available and Wi-Fi is not required for operations
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
HARDENINGDeploy a wireless intrusion detection system (WIDS) to monitor for suspicious frame patterns and encryption bypass attempts
HARDENINGReview and enforce Siemens operational guidelines for Industrial Security (available at https://www.siemens.com/cert/operational-guidelines-industrial-security)
Long-term hardening
0/2HARDENINGPlace SCALANCE W700 devices in a physically secured location to minimize unauthorized Wi-Fi range exposure
HARDENINGMonitor Siemens security advisories for patch availability; consider replacement or upgrade of affected devices when patches become available
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/2eee34a1-2680-4ec5-9999-e677760184b0