Improper Neutralization Vulnerability in Siemens RUGGEDCOM and SCALANCE Products
CVE-2023-49692

6.7MEDIUM

Key Information:

Vendor: Siemens
Status: Ruggedcom Rm1224 Lte(4g) Eu; Ruggedcom Rm1224 Lte(4g) Nam; Scalance M804pb; Scalance M812-1 Adsl-router
Vendor: CVE Published:; 12 December 2023

Summary

A notable vulnerability has been discovered in Siemens' RUGGEDCOM and SCALANCE product lines, specifically impacting versions below V7.2.2. This security flaw is related to the improper handling of special elements during the parsing of IPSEC configurations. As a result, malicious local administrators may exploit this vulnerability to execute arbitrary commands at the system level following the establishment of a new connection. This could lead to significant breaches of security and unauthorized access to sensitive system functions.

Affected Version(s)

RUGGEDCOM RM1224 LTE(4G) EU 0

RUGGEDCOM RM1224 LTE(4G) NAM 0

SCALANCE M804PB 0

References

https://cert-portal.siemens.com/productcert/pdf/ssa-06804...

https://cert-portal.siemens.com/productcert/html/ssa-0680...

https://cert-portal.siemens.com/productcert/html/ssa-6029...

CVSS V3.1

Score:

6.7

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 12, 2023
Vulnerability Reserved
Nov 29, 2023