Ruggedcom ROS Hard-Coded RSA SSL Private Key

Low RiskICS-CERT ICSA-12-354-01ASep 22, 2012

Siemens

Summary

Siemens Ruggedcom devices use a hard-coded RSA SSL private key embedded in the device firmware. This private key is not unique per device and is the same across all affected units. The vulnerability affects Rugged OS (versions 3.11 and earlier), ROX I OS used in RX1000/RX1100 series (versions ROX_v1.14.5 and earlier), ROX II OS used in RX5000/RX1500 series (versions ROX_v2.3.0 and earlier), and RuggedMax Operating System used in Win7000, Win7200, Win5100, and Win5200 products (versions 4.2.1.4621.22 and earlier). An attacker with the private key could decrypt SSL communications, impersonate devices, or conduct man-in-the-middle attacks against management interfaces.

What this means

What could happen

An attacker with the hard-coded RSA private key could impersonate the device or intercept encrypted communications, potentially allowing unauthorized access to the device's administrative functions and network management capabilities.

Who's at risk

Water utilities, electric distribution companies, and other critical infrastructure operators using Siemens Ruggedcom wireless routers (RX1000, RX1100, RX5000, RX1500 series) and RuggedMax base stations (Win7000, Win7200) and CPE devices (Win5100, Win5200) for remote site connectivity and SCADA communications.

How it could be exploited

An attacker obtains the hard-coded RSA private key from the device firmware or publicly available sources. The attacker uses this key to decrypt SSL/TLS communications or forge SSL certificates to impersonate the device, gaining access to encrypted management sessions or redirecting traffic to a malicious endpoint.

Prerequisites

Access to the device firmware (via download or physical access)
Knowledge of the hard-coded private key (publicly available)
Network access to the device's HTTPS/SSL management interface

hard-coded credentialsno patch availableaffects wireless network infrastructureimpacts device authentication and encryption

Exploitability

Unlikely to be exploited — EPSS score 0.5%

Affected products (4)

4 EOL

ProductAffected VersionsFix Status

Rugged OS: <=3.11≤ 3.11No fix (EOL)

ROX II OS firmware used by RX5000 and RX1500 series products. ROX II: <=ROX_v2.3.0≤ ROX v2.3.0No fix (EOL)

RuggedMax Operating System Firmware used by the Win7000 and Win7200 base station units and the Win5100 and Win5200 subscriber (CPE) devices: <=4.2.1.4621.22≤ 4.2.1.4621.22No fix (EOL)

ROX I OS firmware used by RX1000 and RX1100 series products. ROX I: <=ROX_v1.14.5≤ ROX v1.14.5No fix (EOL)

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict network access to affected devices using firewall rules; limit administrative access to trusted engineering workstations only

Mitigations - no patch available

0/3

The following products have reached End of Life with no planned fix: Rugged OS: <=3.11, ROX II OS firmware used by RX5000 and RX1500 series products. ROX II: <=ROX_v2.3.0, RuggedMax Operating System Firmware used by the Win7000 and Win7200 base station units and the Win5100 and Win5200 subscriber (CPE) devices: <=4.2.1.4621.22, ROX I OS firmware used by RX1000 and RX1100 series products. ROX I: <=ROX_v1.14.5. Apply the following compensating controls:

HARDENINGImplement network segmentation to isolate affected Ruggedcom devices from untrusted networks and non-essential users

HARDENINGMonitor encrypted traffic to and from affected devices for signs of certificate spoofing or unauthorized access attempts

HARDENINGEvaluate migration to newer Siemens industrial communication products with properly managed cryptographic keys as no patch is available for current products

CVEs (1)

CVE-2012-4698

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/96ced1f7-1df2-4cdb-91c1-5e63c8c6196b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.