In October 2017, security researchers from Google identified multiple vulnerabilities in the Dnsmasq DNS server. According to a US ICS-СERT advisory, some of these vulnerabilities affect Siemens products.
Siemens reports that the vulnerabilities affect the following SCALANCE industrial solutions:
- W1750D access points;
- M800 industrial routers;
- S615 firewalls.
Successful exploitation of these vulnerabilities could allow a remote attacker to execute arbitrary code or carry out a denial-of-service (DOS) attack.
SCALANCE products are affected by four medium and high severity vulnerabilities (CVSS base score 5.3 to 8.1).
Three of these vulnerabilities, CVE-2017-13704, CVE-2017-14495 and CVE-2017-14496, can be exploited to cause a crash of the Dnsmasq process by sending specially crafted requests to the service on port 53/UDP.
The most severe of the four vulnerabilities, CVE-2017-14491, could allow an attacker to execute arbitrary code in the target system and carry out a denial-of-service attack. To exploit the vulnerability, an attacker must be in a position to inject malicious DNS responses to DNS requests from the device, e.g., in a Man-in-the-Middle position.
Siemens is working on eliminating the vulnerabilities identified and preparing updates for the affected products.
Siemens recommends the following mitigations to reduce the risk of exploitation until the patches are available:
- for SCALANCE W1750D (for customers who do not use the “OpenDNS”, “Captive Portal” or “URL redirection” functionality): deploy firewall rules to block incoming access to port 53/UDP;
- for SCALANCE M800/S615: disable DNS proxy and configure devices on the internal network to use a different DNS server.