SUMMARY
The latest firmware updates for the SCALANCE W700 and W1700 wireless device families fix a vulnerability affecting WPA/WPA2 key handling. It might be possible to, by manipulating the EAPOL-Key frames, decrypt the Key Data field without the frame being authenticated.
This has impact on WPA/WPA2 architectures using TKIP encryption. The attacker must be in the wireless range of the device to perform the attack.
GENERAL SECURITY RECOMMENDATIONS
As a general security measure, Siemens strongly recommends to protect network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security (Download: https://www.siemens.com/cert/operational-guidelines-industrial-security ), and to follow the recommendations in the product manuals.
Additional information on Industrial Security by Siemens can be found at: https://www.siemens.com/industrialsecurity
PRODUCT DESCRIPTION
SCALANCE W700 products are wireless communication devices used to connect industrial components like Programmable Logic Controllers (PLCs) or Human Machine Interfaces (HMIs).
SCALANCE W1700 products are wireless communication devices used to connect industrial components, like Programmable Logic Controllers (PLCs) or Human Machine Interfaces (HMIs), according to the IEEE 802.11ac standard.
VULNERABILITY CLASSIFICATION
The vulnerability classification has been performed by using the CVSS scoring system in version 3.1
(CVSS v3.1) (https://www.first.org/cvss ). The CVSS environmental score is specific to the customer’s
environment and will impact the overall CVSS score. The environmental score should therefore be
individually defined by the customer to accomplish final scoring.
An additional classification has been performed using the CWE classification, a community-developed
list of common software security weaknesses. This serves as a common language and as a baseline for
weakness identification, mitigation, and prevention efforts. A detailed list of CWE classes can be found
at: https://cwe.mitre.org/ .
Vulnerability CVE-2018-14526
It was discovered that under certain conditions the integrity of EAPOL-key messages might not be checked, leading to a decryption oracle.
The security vulnerability could be exploited by an attacker within range of the Access Point which could allow the abuse of the vulnerability to access confidential data. For this, the Access Point must use TKIP as encryption method.
At the time of advisory publication no public exploitation of this security vulnerability was known.
CVSS v3.1 Base Score
6.5
CVSS Vector
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:U/RL:O/RC:C
CWE:
CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel