Siemens RUGGEDCOM ROS and ROX-based Devices TLS POODLE Vulnerability (Update B)
Low RiskICS-CERT ICSA-15-202-03BApr 23, 2015
Summary
RUGGEDCOM devices running ROS (before v4.2.0) or ROX II (before v2.9.0) are vulnerable to the POODLE (Padding Oracle On Downgraded Legacy Encryption) attack. This vulnerability allows downgrade of TLS connections to SSLv3, which uses weak encryption that can be broken to decrypt traffic. No firmware patches are planned for these affected versions; devices will remain vulnerable unless users implement compensating controls to disable SSLv3 and enforce modern TLS versions.
What this means
What could happen
An attacker with network access to a RUGGEDCOM device could decrypt TLS-encrypted communications by exploiting the POODLE vulnerability, potentially exposing sensitive engineering commands or data exchanged with the device.
Who's at risk
This affects organizations running Siemens RUGGEDCOM industrial network devices with ROS or ROX II firmware in field deployment. This includes utilities, water authorities, and manufacturing facilities that rely on RUGGEDCOM equipment for remote site communication and management.
How it could be exploited
An attacker on the network intercepts TLS traffic to or from a RUGGEDCOM device. By forcing a downgrade to SSLv3, the attacker exploits the POODLE weakness to decrypt the connection and read or intercept sensitive commands or configuration changes sent to the device.
Prerequisites
- Network access to the RUGGEDCOM device's TLS service (port 443 or equivalent)
- Device running affected ROS or ROX II firmware versions
- Device configured to accept SSLv3 connections
Remotely exploitableNo patch availableWeak encryption vulnerabilityLong-term deployed hardware
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (2)
2 EOL
ProductAffected VersionsFix Status
RUGGEDCOM devices with ROS: <v4.2.0<v4.2.0No fix (EOL)
RUGGEDCOM devices with ROX II: <v2.9.0.<v2.9.0.No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2HARDENINGDisable SSLv3 on RUGGEDCOM devices and enforce TLS 1.2 or higher
HARDENINGRestrict network access to RUGGEDCOM devices using firewall rules to limit which hosts can connect to the management interface
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HARDENINGMonitor for SSLv3 connection attempts to RUGGEDCOM devices and alert on downgrade negotiation
Mitigations - no patch available
0/1The following products have reached End of Life with no planned fix: RUGGEDCOM devices with ROS: <v4.2.0, RUGGEDCOM devices with ROX II: <v2.9.0.. Apply the following compensating controls:
HARDENINGSegment RUGGEDCOM devices onto a dedicated engineering network isolated from corporate IT networks
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/fef51e80-0452-4670-b924-abba64f0cff8