Siemens SCALANCE Improper Limitation of a Pathname to a Restricted Directory (CVE-2021-37728)

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(500981);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/04/22");

  script_cve_id("CVE-2021-37728");

  script_name(english:"Siemens SCALANCE Improper Limitation of a Pathname to a Restricted Directory (CVE-2021-37728)");

  script_set_attribute(attribute:"synopsis", value:
"The remote OT asset is affected by a vulnerability.");
  script_set_attribute(attribute:"description", value:
"A remote path traversal vulnerability was discovered in Aruba
Operating System Software version(s): Prior to 8.8.0.1, 8.7.1.4,
8.6.0.11, 8.5.0.13. Aruba has released patches for ArubaOS that
address this security vulnerability.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.");
  script_set_attribute(attribute:"see_also", value:"https://www.arubanetworks.com/assets/alert/ARUBA-PSA-2021-016.txt");
  script_set_attribute(attribute:"see_also", value:"https://www.cisa.gov/news-events/ics-advisories/icsa-21-287-07");
  script_set_attribute(attribute:"see_also", value:"https://cert-portal.siemens.com/productcert/pdf/ssa-280624.pdf");
  script_set_attribute(attribute:"solution", value:
"The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original
can be found at CISA.gov.

Siemens recommends upgrading SCALANCE W1750 to Versions 8.7.1.3 or later

SCALANCE W1750D: All version 8719 and prior (only affected by CVE-2019-5318, currently no fix is planned.

SCALANCE W1750 versions from 8.7.1.3 to 9.7.1.8 update to version 9.7.1.9 or later (only affected by CVE-2019-5318,
CVE-2020-37719, CVE-2021-37717, CVE-2021-37718, CVE-2021-37720, CVE-2021-37721, CVE-2021-37722, CVE-2021-37728).

Siemens has identified the following specific workarounds and mitigations users can apply to reduce the risk:

- Block access to the ArubaOS Command Line Interface from all untrusted users.
- Block access to the ArubaOS web-based management interface from all untrusted users.
- Block access to the Mobility Conductor Command Line Interface from all untrusted users.
- Enabling the Enhanced PAPI Security feature where available will prevent exploitation of these vulnerabilities. Please
contact TAC for assistance if needed.
- Exploitation requires physical access. Controllers in strictly controlled physical environments are at low risk.
- To minimize the likelihood of an attacker exploiting these vulnerabilities, Aruba recommends the communication between
Controller/Gateways and Access-Points be restricted either by having a dedicated Layer 2 segment/VLAN or, if
Controller/Gateways and Access-Points cross Layer 3 boundaries, to have firewall policies restricting the communication
of these authorized devices. In addition, enabling the Enhanced PAPI Security feature will prevent the PAPI-specific
vulnerabilities above from being exploited. Contact Aruba Support for configuration assistance.
- The RAPConsole or Local Debug (LD) homepage can be reached by users in a split or bridge role. This can be prevented
by configuring an ACL to restrict access to the LD homepage, which effectively prevents this issue. Detailed
instructions for ACL implementation are available.

As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate
mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends to configure the
environment according to Siemens’ operational guidelines for industrial security, and to follow the recommendations in
the product manuals.

For additional information, please refer to Siemens Security Advisory SSA-280624 in HTML or CSAF.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-37728");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_cwe_id(22);

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/09/07");
  script_set_attribute(attribute:"patch_publication_date", value:"2021/09/07");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/04/11");

  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:siemens:scalance_w1750d_firmware");
  script_set_attribute(attribute:"generated_plugin", value:"former");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Tenable.ot");

  script_copyright(english:"This script is Copyright (C) 2023-2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("tenable_ot_api_integration.nasl");
  script_require_keys("Tenable.ot/Siemens");

  exit(0);
}


include('tenable_ot_cve_funcs.inc');

get_kb_item_or_exit('Tenable.ot/Siemens');

var asset = tenable_ot::assets::get(vendor:'Siemens');

var vuln_cpes = {
    "cpe:/o:siemens:scalance_w1750d_firmware" :
        {"versionEndExcluding" : "8.7.1.9", "family" : "SCALANCEW"}
};

tenable_ot::cve::compare_and_report(asset:asset, cpes:vuln_cpes, severity:SECURITY_HOLE);