Siemens RUGGEDCOM ROS

Plan Patch8.1ICS-CERT ICSA-21-194-10Jul 13, 2021

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Buffer overflow vulnerability in a third-party component of Siemens RUGGEDCOM ROS devices. An attacker with network access to an affected device could exploit this vulnerability to achieve remote code execution. The vulnerability affects a wide range of RUGGEDCOM models with firmware versions below 4.3.7 (or 5.5.4 for newer firmware branches). RUGGEDCOM RSG2100 (all versions) has no fix available.

What this means

What could happen

An attacker could run arbitrary code on your RUGGEDCOM switch, potentially altering network traffic, disrupting communications between PLCs and control systems, or gaining access to connected industrial devices. This could halt or compromise critical operations in power distribution or water treatment networks.

Who's at risk

This affects operators of Siemens RUGGEDCOM managed industrial switches used throughout utility networks for critical communications. RUGGEDCOM devices are commonly deployed in substations, control centers, and networked PLC environments in electric utilities and water authorities. The RS series (RS400, RS900, RS910, RS920, RS930, RS940, RS8000) and RSG series (RSG2100, RSG2200, RSG2300, RSG2488) are the most widely deployed. Any facility relying on RUGGEDCOM for network backbone connectivity in OT environments should be considered at risk.

How it could be exploited

An attacker on the network sends a malicious packet to the RUGGEDCOM device exploiting the buffer overflow in the third-party component. The device processes the packet unsafely, allowing the attacker to overwrite memory and execute arbitrary commands on the switch itself. No authentication is required; the device is vulnerable upon receipt of the crafted network traffic.

Prerequisites

Network access to the RUGGEDCOM device (attacker must be able to send packets to the device)
No credentials or authentication required
Device must be running a vulnerable firmware version below 4.3.7 or 5.5.4

remotely exploitableno authentication requiredlow complexityhigh impact (remote code execution on critical network device)affects industrial network infrastructure

Exploitability

Moderate exploit probability (EPSS 1.2%)

Affected products (71)

70 with fix1 pending

ProductAffected VersionsFix Status

RUGGEDCOM i800< V4.3.74.3.7

RUGGEDCOM i801< V4.3.74.3.7

RUGGEDCOM i802< V4.3.74.3.7

RUGGEDCOM i803< V4.3.74.3.7

RUGGEDCOM M2100< V4.3.74.3.7

Remediation & Mitigation

0/6

Do now

0/3

RUGGEDCOM RSG2100

HARDENINGFor RUGGEDCOM RSG2100 (all versions) with no fix available, implement network segmentation to restrict direct network access to the device

All products

WORKAROUNDEnable DHCP snooping on the RUGGEDCOM device to prevent unauthorized DHCP requests and limit exposure from certain attack vectors

WORKAROUNDDisable DHCP on the RUGGEDCOM device and configure static IP addressing instead

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate RUGGEDCOM devices running firmware version 4.X to version 4.3.7 or later

HOTFIXUpdate RUGGEDCOM devices running firmware version 5.X to version 5.5.4 or later

Long-term hardening

0/1

HARDENINGRestrict network access to RUGGEDCOM devices using firewall rules, access control lists, or network segmentation to limit exposure to untrusted networks

CVEs (1)

CVE-2021-31895

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/ed27c0a5-1368-425a-be14-aa3f052b5293