ICSA-18-282-03 Siemens ROX II

Plan Patch8.8ICS-CERT ICSA-18-282-03Oct 9, 2018

Attack VectorNetwork

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

ROX II firmware versions before v2.12.1 contain an improper access control vulnerability (CWE-269) in the SSH service on Port 22/TCP. An authenticated attacker can use this vulnerability to gain unauthorized command execution on the device with elevated privileges, potentially compromising the entire control system. No known public exploits currently target this vulnerability.

What this means

What could happen

An authenticated attacker with network access to Port 22/TCP could execute arbitrary code on the ROX II device, potentially altering process configurations, stopping operations, or exfiltrating sensitive control system data.

Who's at risk

Water utilities, municipalities, and industrial facilities using Siemens ROX II control system devices for remote operations, monitoring, or configuration management. ROX II is commonly used in SCADA and remote terminal unit (RTU) environments for distributed control and telemetry.

How it could be exploited

An attacker with valid credentials can connect to the SSH service on Port 22/TCP of an unpatched ROX II device. Once authenticated, the attacker can escalate privileges and execute arbitrary commands on the device, gaining full control over its functions.

Prerequisites

Valid user credentials for SSH access
Network access to Port 22/TCP on the ROX II device
Device running firmware version earlier than v2.12.1

remotely exploitableauthentication requiredrequires valid credentialshigh CVSS score (8.8)privilege escalation possible

Exploitability

Low exploit probability (EPSS 0.9%)

Affected products (1)

ProductAffected VersionsFix Status

ROX II<V2.12.1v2.12.1

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDRestrict network access to Port 22/TCP using firewall rules to limit connections to authorized engineering workstations only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate ROX II firmware to version v2.12.1 or later

Long-term hardening

0/3

HARDENINGIsolate ROX II devices from the business network and place them behind industrial firewalls with strict access controls

HARDENINGImplement network segmentation to ensure control system devices are not directly accessible from the Internet

HARDENINGIf remote access is required, implement secure VPN access with strong authentication in place of direct network access

CVEs (2)

CVE-2018-13801 CVE-2018-13802

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/3381b726-a6be-4432-a0ff-20f74c1cda29