Siemens SCALANCE FragAttacks
1. EXECUTIVE SUMMARY
- CVSS v3 6.5
- ATTENTION: Exploitable remotely/low attack complexity
- Vendor: Siemens
- Equipment: SCALANCE family devices
- Vulnerabilities: Improper Authentication, Injection, Improper Validation of Integrity Check, Improper Input Validation
2. RISK EVALUATION
Successful exploitation of these vulnerabilities could allow an attacker within Wi-Fi range to forge encrypted frames, which could result in sensitive data disclosure and traffic manipulation.
3. TECHNICAL DETAILS
3.1 AFFECTED PRODUCTS
The following Siemens products are affected:
- SCALANCE W721-1 RJ45: All versions
- SCALANCE W722-1 RJ45: All versions
- SCALANCE W734-1 RJ45: All versions
- SCALANCE W738-1 M12: All versions
- SCALANCE W748-1 M12: All versions
- SCALANCE W738-1 RJ45: All versions
- SCALANCE W761-1 RJ45: All versions
- SCALANCE W774-1 M12 EEC: All versions
- SCALANCE W774-1 RJ45: All versions
- SCALANCE W778-1 M12 EEC: All versions
- SCALANCE W786-1 RJ45: All versions
- SCALANCE W786-2 RJ45: All versions
- SCALANCE W786-2 SFP: All versions
- SCALANCE W786-2IA RJ45: All versions
- SCALANCE W788-1 M12: All versions
- SCALANCE W788-1 RJ45: All versions
- SCALANCE W788-2 M12: All versions
- SCALANCE W788-1 M12 EEC: All versions
- SCALANCE W788-2 RJ45: All versions
- SCALANCE W1748-1 M12: All versions prior to v3.0.0
- SCALANCE W1750D M12: All versions prior to v8.7.1.3
- SCALANCE W1788-1 M12: All versions prior to v3.0.0
- SCALANCE W1788-2 EEC M12: All versions prior to v3.0.0
- SCALANCE W1788-2 M12: All versions prior to v3.0.0
- SCALANCE W1788-2IA M12: All versions prior to v3.0.0
- SCALANCE WAM766-1: All versions
- SCALANCE WAM766-1 EEC: All versions
- SCALANCE WUM763-1: All versions
- SCALANCE WUM766-1: All versions
3.2 VULNERABILITY OVERVIEW
3.2.1 MISSING AUTHENTICATION FOR CRITICAL FUNCTION CWE-306
The 802.11 standard that underpins Wi-Fi Protected Access (WPA, WPA2, and WPA3) and Wired Equivalent Privacy (WEP) doesn’t require the A-MSDU flag in the plaintext QoS header field to be authenticated. Against devices that support receiving non-SSP A-MSDU frames, which is mandatory as part of 802.11n, an adversary can abuse this to inject arbitrary network packets.
CVE-2020-24588 has been assigned to this vulnerability. A CVSS v3 base score of 3.5 has been assigned; the CVSS vector string is (AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N).
3.2.2 IMPROPER AUTHENTICATION CWE-287
An issue was discovered in the kernel in NetBSD 7.1. An Access Point (AP) forwards EAPOL frames to other clients even though the sender has not yet successfully authenticated to the AP. This might be abused in projected Wi-Fi networks to launch denial-of-service attacks against connected clients and makes it easier to exploit other vulnerabilities in connected clients.
CVE-2020-26139 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).
3.2.3 IMPROPER NEUTRALIZATION OF SPECIAL ELEMENTS IN OUTPUT CWE-74
An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.
CVE-2020-26140 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
3.2.4 IMPROPER VALIDATION OF INTEGRITY CHECK VALUE CWE-354
An issue was discovered in the ALFA Windows 10 driver 6.1316.1209 for AWUS036H. The Wi-Fi implementation does not verify the Message Integrity Check (authenticity) of fragmented TKIP frames. An adversary can abuse this to inject and decrypt packets in WPA or WPA2 networks that support the TKIP data-confidentiality protocol.
CVE-2020-26141 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
3.2.5 IMPROPER INPUT VALIDATION CWE-20
An issue was discovered in the ALFA Windows 10 driver 1030.36.604 for AWUS036ACH. The WEP, WPA, WPA2, and WPA3 implementations accept fragmented plaintext frames in a protected Wi-Fi network. An adversary can abuse this to inject arbitrary data frames independent of the network configuration.
CVE-2020-26143 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
3.2.6 IMPROPER INPUT VALIDATION CWE-20
An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept plaintext A-MSDU frames as long as the first eight bytes correspond to a valid RFC1042 (i.e., LLC/SNAP) header for EAPOL. An adversary can abuse this to inject arbitrary network packets independent of the network configuration.
CVE-2020-26144 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
3.2.7 IMPROPER INPUT VALIDATION CWE-20
An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WEP, WPA, WPA2, and WPA3 implementations accept second (or subsequent) broadcast fragments even when sent in plaintext and process them as full unfragmented frames. An adversary can abuse this to inject arbitrary network packets independent of the network configuration.
CVE-2020-26145 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been assigned; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
3.2.8 IMPROPER INPUT VALIDATION CWE-20
An issue was discovered on Samsung Galaxy S3 i9305 4.4.4 devices. The WPA, WPA2, and WPA3 implementations reassemble fragments with non-consecutive packet numbers. An adversary can abuse this to exfiltrate selected fragments. This vulnerability is exploitable when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used. Note WEP is vulnerable to this attack by design.
CVE-2020-26146 has been assigned to this vulnerability. A CVSS v3 base score of 5.3 has been assigned; the CVSS vector string is (AV:A/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N).
3.2.9 IMPROPER INPUT VALIDATION CWE-20
An issue was discovered in the Linux kernel 5.8.9. The WEP, WPA, WPA2, and WPA3 implementations reassemble fragments even though some of them were sent in plaintext. This vulnerability can be abused to inject packets and/or exfiltrate selected fragments when another device sends fragmented frames and the WEP, CCMP, or GCMP data-confidentiality protocol is used.
CVE-2020-26147 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been assigned; the CVSS vector string is (AV:A/AC:H/PR:N/UI:R/S:U/C:L/I:H/A:N).
3.3 BACKGROUND
- CRITICAL INFRASTRUCTURE SECTORS: Multiple Sectors
- COUNTRIES/AREAS DEPLOYED: Worldwide
- COMPANY HEADQUARTERS LOCATION: Germany
3.4 RESEARCHER
Siemens reported these vulnerabilities to CISA.
4. MITIGATIONS
Siemens recommends updating their software to the latest version where available:
- SCALANCE W1748-1 M12: Update to v3.0.0 or later
- SCALANCE W1750D M12: Update to v8.7.1.3 or later
- SCALANCE W1788-1 M12: Update to v3.0.0 or later
- SCALANCE W1788-2 EEC M12: Update to v3.0.0 or later
- SCALANCE W1788-2 M12: Update to v3.0.0 or later
- SCALANCE W1788-2IA M12: Update to v3.0.0 or later
- SCALANCE WAM766-1: Update to v1.2 or later
- SCALANCE WAM766-1 EEC: Update to v1.2 or later
- SCALANCE WUM763-1: Update to v1.2 or later
- SCALANCE WUM766-1: Update to v1.2 or later
Siemens has identified the following specific workarounds and mitigations users can apply to reduce the risk:
- As these vulnerabilities can only be exploited within Wi-Fi range, when possible reduce Wi-Fi transmission power or make sure to have the devices in private areas with physical access controls
- When possible, A-MSDU can be disabled to mitigate CVE-2020-24588 and CVE-2020-26144
For more details regarding the FragAttacks vulnerabilities refer to:
As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends users configure the environment according to the Siemens operational guidelines for industrial security and follow the recommendations in the product manuals.
For additional information, please refer to Siemens Security Advisory SSA-913875
CISA recommends users take defensive measures to minimize the risk of exploitation of this vulnerability. Specifically, users should:
- Minimize network exposure for all control system devices and/or systems, and ensure they are not accessible from the Internet.
- Locate control system networks and remote devices behind firewalls and isolate them from the business network.
- When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize VPN is only as secure as its connected devices.
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage on cisa.gov in the Technical Information Paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to CISA for tracking and correlation against other incidents.
No known public exploits specifically target these vulnerabilities.
This product is provided subject to this Notification and this Privacy & Use policy.
Vendor
- Siemens