Siemens SCALANCE W1750D Uncontrolled Resource Consumption (CVE-2002-20001)

high Tenable OT Security Plugin ID 501154

Synopsis

The remote OT asset is affected by a vulnerability.

Description

The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys, and trigger expensive server-side DHE modular- exponentiation calculations, aka a D(HE)ater attack. The client needs very little CPU resources and network bandwidth. The attack may be more disruptive in cases where a client can require a server to select its largest supported key size. The basic attack scenario is that the client must claim that it can only communicate with DHE, and the server must be configured to allow DHE.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at CISA.gov.

Siemens identified the following specific workarounds and mitigations to reduce risk:

- CVE-2022-37885, CVE-2022-37886, CVE-2022-37887, CVE-2022-37888, and CVE-2022-37889: Enable CPSec via the cluster- security command.
- CVE-2022-37890, CVE-2022-37891, CVE-2022-37892, CVE-2022-37895, and CVE-2022-37896: Restrict the web-based management interface to a dedicated layer 2 segment/VLAN and/or control the interface by firewall policies at layer 3 and above.
- CVE-2022-37893: Restrict the command line interface to a dedicated layer 2 segment/VLAN and/or control the interface by firewall policies at layer 3 and above.

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens' operational guidelines for industrial security and following the recommendations in the product manuals.

Additional information on Industrial Security by Siemens can be found at the Siemens website.

For more information, see the associated Siemens security advisory SSA-506569 in HTML and CSAF.

Siemens SCALANCE W1750D is a brand-labeled device from Aruba. For more information regarding these vulnerabilities, see the Aruba security advisory ARUBA-PSA-2022-014.

See Also

https://github.com/Balasys/dheater

http://www.nessus.org/u?500d1117

https://github.com/mozilla/ssl-config-generator/issues/162

http://www.nessus.org/u?7a2a3191

https://cert-portal.siemens.com/productcert/pdf/ssa-506569.pdf

https://support.f5.com/csp/article/K83120834

https://www.openssl.org/blog/blog/2022/10/21/tls-groups-configuration/

https://www.suse.com/support/kb/doc/?id=000020510

https://dheatattack.com

https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2022-004.txt

https://www.cisa.gov/news-events/ics-advisories/icsa-22-314-10

Plugin Details

Severity: High

ID: 501154

Version: 1.3

Type: remote

Family: Tenable.ot

Published: 5/24/2023

Updated: 9/4/2024

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Medium

Score: 4.4

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P

CVSS Score Source: CVE-2002-20001

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.7

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:siemens:scalance_w1750d_firmware

Required KB Items: Tenable.ot/Siemens

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 11/11/2021

Vulnerability Publication Date: 11/11/2021

Reference Information

CVE: CVE-2002-20001

CWE: 400

ICSA: 22-314-10