OTPulse
FeedAboutContact

Siemens RUGGEDCOM Devices

Monitor6.7ICS-CERT ICSA-22-069-01Mar 8, 2022
Attack VectorAdjacent
Auth RequiredNone
ComplexityHigh
User InteractionRequired
Summary

The SSH server on RUGGEDCOM ROS devices is configured to offer weak ciphers by default. This could allow an unauthorized attacker in a man-in-the-middle position to read and modify any data passed over the connection between legitimate clients and the affected device. Affects 70+ RUGGEDCOM device models across i800, M-series, RMC, RP, RS, RSG, RSL, and RST lines.

What this means
What could happen
An attacker positioned between a network administrator and a RUGGEDCOM device could intercept SSH sessions and read or modify configuration commands being sent to the device, potentially altering process setpoints, routing rules, or safety parameters on critical infrastructure networks.
Who's at risk
Water utilities, electrical utilities, and other critical infrastructure operators managing RUGGEDCOM industrial network devices—specifically any organization using RUGGEDCOM switches and routers (RMC, RS, RSG, RSL, RST series) for network connectivity and management in OT environments. These devices are commonly used to provide managed network access and monitoring for SCADA systems and remote substations.
How it could be exploited
An attacker must be on the same network segment or in a position to intercept traffic (man-in-the-middle). They can leverage the weak SSH ciphers offered by default to decrypt or intercept SSH sessions to the device. No user authentication is required if the attacker can forge SSH packets using the weak cipher algorithms.
Prerequisites
  • Network access to SSH port on the device (typically port 22)
  • Position to intercept network traffic (same network segment or on data path)
  • Ability to perform man-in-the-middle attack or passive sniffing
Weak cryptography (weak SSH ciphers)Remotely exploitable (SSH is often accessible)Man-in-the-middle attack vectorAffects network infrastructure devices used in critical systemsWide product coverage across RUGGEDCOM line
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (74)
74 with fix
ProductAffected VersionsFix Status
RUGGEDCOM i800< 4.3.84.3.8
RUGGEDCOM i801< 4.3.84.3.8
RUGGEDCOM i802< 4.3.84.3.8
RUGGEDCOM i803< 4.3.84.3.8
RUGGEDCOM M969< 4.3.84.3.8
Remediation & Mitigation
0/6
Do now
0/2
WORKAROUNDConfigure SSH clients to use only strong key exchange ciphers: ecdh-sha2-nistp256, ecdh-sha2-nistp384, or ecdh-sha2-nistp521
WORKAROUNDAdd only trusted SSH client public keys to RUGGEDCOM devices and restrict SSH access to authorized administrators
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate RUGGEDCOM devices running firmware version 4.X to version 4.3.8 or later
HOTFIXUpdate RUGGEDCOM devices running firmware version 5.X to version 5.7.0 or later
Long-term hardening
0/2
HARDENINGSegment RUGGEDCOM devices behind firewalls and restrict SSH access from trusted management networks only
HARDENINGMinimize network exposure of RUGGEDCOM devices; do not allow Internet-facing SSH access
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/28709993-7cef-41dc-9606-9e807bb8ef28
Siemens RUGGEDCOM Devices | CVSS 6.7 - OTPulse