Frame Aggregation and Fragmentation Vulnerabilities in 802.11
Monitor6.5SSA-913875Jul 13, 2021
Attack VectorAdjacent
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
Twelve frame aggregation and fragmentation vulnerabilities (FragAttacks) in 802.11 wireless protocol implementation affect Siemens SCALANCE wireless access points and bridges. An attacker within Wi-Fi range could forge encrypted frames to disclose sensitive data or manipulate traffic. The vulnerabilities stem from improper handling of frame structure validation in the wireless drivers used by these devices. Siemens has released patches for some products but reports no fixes for approximately two-thirds of the affected SCALANCE device variants, which remain at risk.
What this means
What could happen
An attacker within Wi-Fi range could forge encrypted wireless frames to intercept sensitive data or manipulate network traffic on your SCALANCE wireless access points and bridges. This could allow unauthorized access to device configuration or disruption of wireless connectivity to critical plant equipment.
Who's at risk
This affects operators of transportation systems, industrial plants, and critical infrastructure that rely on Siemens SCALANCE wireless network devices for real-time monitoring and control. Specifically, any deployment using SCALANCE Wi-Fi access points (W7xx, W8xx series) or wireless modules (WAM, WUM series) for bridging sensors, PLCs, or remote telemetry to central monitoring systems is at risk of wireless network compromise.
How it could be exploited
An attacker within Wi-Fi range of a vulnerable SCALANCE wireless device sends specially crafted 802.11 frames that exploit weaknesses in frame aggregation and fragmentation handling. The device fails to properly validate frame structure, allowing the attacker to forge encrypted frames and decrypt or modify legitimate traffic without being connected to the network.
Prerequisites
- Attacker must be within Wi-Fi radio range of the vulnerable access point or bridge
- No authentication or credentials required
- The wireless device must be powered on and transmitting
Remotely exploitable (within Wi-Fi range)No authentication requiredLow complexity attackAffects data confidentiality (encryption bypass)Many products have no patch availableWide range of affected SCALANCE product variants
Exploitability
Moderate exploit probability (EPSS 4.3%)
Affected products (39)
16 with fix23 pending
ProductAffected VersionsFix Status
SCALANCE W788-2 M12 EECAll versionsNo fix yet
SCALANCE WAM766-1 EEC (US)< V1.2.01.2.0
SCALANCE W1748-1 M12< V3.0.03.0.0
SCALANCE W1750D (JP)< V8.7.1.38.7.1.3
SCALANCE W1750D (ROW)< V8.7.1.38.7.1.3
Remediation & Mitigation
0/6
Schedule — requires maintenance window
0/3Patching may require device reboot — plan for process interruption
SCALANCE W1750D (USA)
HOTFIXUpdate SCALANCE WAM763-1, WAM766-1, WAM766-1 (US), WAM766-1 EEC, WUM763-1, WUM766-1, and WUM766-1 (USA) to version 1.2.0 or later
SCALANCE W1748-1 M12
HOTFIXUpdate SCALANCE W1748-1 M12, W1788-1 M12, W1788-2 EEC M12, W1788-2 M12, and W1788-2IA M12 to version 3.0.0 or later
SCALANCE W1750D (ROW)
HOTFIXUpdate SCALANCE W1750D (JP, ROW, USA) to version 8.7.1.3 or later
Long-term hardening
0/3HARDENINGFor products with no fix available (W788-2 M12 EEC, W721-1, W722-1, W734-1, W738-1, W748-1, W761-1, W774-1, W778-1, W786-1, W786-2, W788-1, W788-2 variants), restrict physical Wi-Fi range by deploying wireless access points in secured areas and using RF shielding or a Faraday cage where feasible
HARDENINGFor products with no fix available, configure wireless authentication using WPA3 if supported by firmware, or WPA2 with CCMP encryption at minimum
WORKAROUNDMonitor Siemens security advisories regularly for future firmware releases for affected products currently without patches
CVEs (9)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/57a5677f-0a23-4928-930b-58d78d2d8b1b