Siemens SCALANCE Command Injection (CVE-2021-37723)

high Tenable OT Security Plugin ID 500974

Synopsis

The remote OT asset is affected by a vulnerability.

Description

A remote arbitrary command execution vulnerability was discovered in Aruba Operating System Software version(s): Prior to 8.7.1.2, 8.6.0.8, 8.5.0.12, 8.3.0.16. Aruba has released patches for ArubaOS that address this security vulnerability.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at CISA.gov.

Siemens recommends upgrading SCALANCE W1750 to Versions 8.7.1.3 or later

SCALANCE W1750D: All version 8719 and prior (only affected by CVE-2019-5318, currently no fix is planned.

SCALANCE W1750 versions from 8.7.1.3 to 9.7.1.8 update to version 9.7.1.9 or later (only affected by CVE-2019-5318, CVE-2020-37719, CVE-2021-37717, CVE-2021-37718, CVE-2021-37720, CVE-2021-37721, CVE-2021-37722, CVE-2021-37728).

Siemens has identified the following specific workarounds and mitigations users can apply to reduce the risk:

- Block access to the ArubaOS Command Line Interface from all untrusted users.
- Block access to the ArubaOS web-based management interface from all untrusted users.
- Block access to the Mobility Conductor Command Line Interface from all untrusted users.
- Enabling the Enhanced PAPI Security feature where available will prevent exploitation of these vulnerabilities. Please contact TAC for assistance if needed.
- Exploitation requires physical access. Controllers in strictly controlled physical environments are at low risk.
- To minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba recommends the communication between Controller/Gateways and Access-Points be restricted either by having a dedicated Layer 2 segment/VLAN or, if Controller/Gateways and Access-Points cross Layer 3 boundaries, to have firewall policies restricting the communication of these authorized devices. In addition, enabling the Enhanced PAPI Security feature will prevent the PAPI-specific vulnerabilities above from being exploited. Contact Aruba Support for configuration assistance.
- The RAPConsole or Local Debug (LD) homepage can be reached by users in a split or bridge role. This can be prevented by configuring an ACL to restrict access to the LD homepage, which effectively prevents this issue. Detailed instructions for ACL implementation are available.

As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens’ operational guidelines for industrial security, and to follow the recommendations in the product manuals.

For additional information, please refer to Siemens Security Advisory SSA-280624 in HTML or CSAF.

See Also

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-016.txt

https://www.cisa.gov/news-events/ics-advisories/icsa-21-287-07

https://cert-portal.siemens.com/productcert/pdf/ssa-280624.pdf

Plugin Details

Severity: High

ID: 500974

Version: 1.2

Type: remote

Family: Tenable.ot

Published: 4/11/2023

Updated: 7/24/2023

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2021-37723

CVSS v3

Risk Factor: High

Base Score: 7.2

Temporal Score: 6.3

Vector: CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:siemens:scalance_w1750d_firmware

Required KB Items: Tenable.ot/Siemens

Exploit Ease: No known exploits are available

Patch Publication Date: 9/7/2021

Vulnerability Publication Date: 9/7/2021

Reference Information

CVE: CVE-2021-37723

CWE: 77