Siemens RUGGEDCOM ROS (Update A)

Monitor7.8ICS-CERT ICSA-19-344-03Dec 10, 2019

Attack VectorLocal

Auth RequiredLow

ComplexityLow

User InteractionNone needed

Summary

The U-Boot bootloader in all affected RUGGEDCOM ROS devices contains two vulnerabilities in the kernel loading process. The more severe vulnerability allows an attacker with local access to execute arbitrary code on the device during boot. These are bootloader-level flaws that could allow code injection before the operating system starts. No patches are available from Siemens. The advisory recommends network access protection and adherence to Siemens' operational security guidelines.

What this means

What could happen

An attacker with local access to a RUGGEDCOM device could execute arbitrary code on the device during boot, potentially taking control of network routing and traffic inspection functions in critical utility networks. This could disrupt communications between substations or control centers and field equipment.

Who's at risk

Water utilities and electric utilities operating Siemens RUGGEDCOM industrial routers (RMC8388, RSG2488, RSG920P, RSG910C, RST2228, and related models) in network edge and substation gateway roles. These devices typically connect multiple substations, RTUs, and SCADA networks. Personnel responsible for network infrastructure and industrial control system security should prioritize this.

How it could be exploited

An attacker with physical access or remote shell access to the device could exploit a vulnerability in the U-Boot bootloader during the OS kernel loading process to inject and execute arbitrary code before the operating system starts. This requires stopping the boot process or timing an interrupt to the bootloader.

Prerequisites

Physical access to the device or local shell access (e.g., via SSH with valid credentials)
Ability to interrupt or interact with the boot process
Knowledge of bootloader commands or boot process timing

No vendor patch availableAffects network routing and access control in critical infrastructureLocal/physical access required but practicable in utility field settingsBootloader vulnerability—difficult to detect after exploitationLong product lifecycle means many deployed devices will remain vulnerable

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (32)

32 EOL

ProductAffected VersionsFix Status

RUGGEDCOM RST2228P<with U-Boot V2016.05RS09No fix (EOL)

RUGGEDCOM RST2228P≥ with U-Boot V2016.05RS09No fix (EOL)

RUGGEDCOM RSG910C<with U-Boot V2016.05RS09No fix (EOL)

RUGGEDCOM RMC8388 V5.X<with U-Boot V2016.05RS09No fix (EOL)

RUGGEDCOM RMC8388NC V4.X<with U-Boot V2016.05RS09No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGRestrict physical access to RUGGEDCOM devices; implement access controls in equipment rooms and cabinet locks

WORKAROUNDDisable remote shell access (SSH) if not operationally required; if required, restrict SSH access to specific engineering workstation IP addresses via firewall rules

HARDENINGReview and strengthen authentication for any SSH or management access; use strong passwords or certificate-based authentication

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HARDENINGImplement network segmentation to isolate RUGGEDCOM devices from untrusted networks; place them on a separate VLAN with access control lists limiting inbound connections

HARDENINGMonitor RUGGEDCOM devices for unexpected boot cycles or console access attempts using syslog or SNMP traps

CVEs (2)

CVE-2018-18440 CVE-2019-13103

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5eb2e044-dacd-4693-b0c6-c7da8d8dbbf9