OTPulse

Siemens RUGGEDCOM ROS

Plan PatchCVSS 9.6ICS-CERT ICSA-22-069-12Mar 8, 2022
Siemens
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

Multiple vulnerabilities affect third-party components in the RUGGEDCOM Operating System (ROS). These include issues in the web server (CWE-79 cross-site scripting, CWE-208 observable timing discrepancy, CWE-358 improperly restricted operations within bounds of memory buffer, CWE-122 heap-based buffer overflow, CWE-190 integer overflow, CWE-754 improper check for unusual or exceptional conditions). An attacker could cause denial-of-service, perform man-in-the-middle attacks, retrieve sensitive information, or gain privileged functions on affected RUGGEDCOM devices.

What this means
What could happen
An attacker with network access to the web interface or TFTP service on affected RUGGEDCOM devices could disrupt operations by triggering a denial-of-service, intercept traffic between the device and management systems, steal configuration or credential data, or potentially execute commands with elevated privileges on the network device.
Who's at risk
Organizations operating Siemens RUGGEDCOM managed industrial switches and routers used in utility and critical infrastructure networks should prioritize this advisory. This affects network devices deployed in electric distribution, water/wastewater treatment, and other SCADA/ICS environments where remote management, VPN termination, or network redundancy is provided by RUGGEDCOM devices. Impact is particularly acute for sites with multiple unfixed products (all F-series variants and some legacy hardware) where workarounds will be the only mitigation option.
How it could be exploited
An attacker would send a crafted HTTP request to the web server (port 80/443) or TFTP request (port 69/UDP) on an affected RUGGEDCOM device reachable from the network. No credentials or special user interaction are typically required to trigger the underlying vulnerability in the third-party components.
Prerequisites
  • Network access to affected RUGGEDCOM device on port 80, 443 (web), or port 69/UDP (TFTP)
  • No authentication required for exploitation of web server or TFTP vulnerabilities
  • Affected firmware version must be running on the device
Remotely exploitableNo authentication requiredLow complexity exploitationHigh impact (DoS, information disclosure, privilege escalation)Multiple fixed and unfixed product variantsNo patch available for several product linesDefault or minimal configuration exposure in managed switch scenarios
Exploitability
Unlikely to be exploited — EPSS score 0.6%
Affected products (152)
136 with fix16 pending
ProductAffected VersionsFix Status
RUGGEDCOM RMC30NC< 4.3.84.3.8
RUGGEDCOM RMC8388 V4.X< 4.3.84.3.8
RUGGEDCOM RMC8388 V5.X< 5.6.05.6.0
RUGGEDCOM RMC8388NC V4.X< 4.3.84.3.8
RUGGEDCOM RMC8388NC V5.X< 5.6.05.6.0
Remediation & Mitigation
0/5
Do now
0/2
WORKAROUNDFor devices with no fix available (RS400F, M969F, M2100F, M2200F, RS416F, RS416PF, RS900F, RS900GF, RS900GPF, RSG2100F, RSG2100PF, RSG2200F, RSG2300F, RSG2300PF, RSG2488F): restrict web server access to ports 443/TCP and 22/TCP from trusted IP addresses only
WORKAROUNDRestrict TFTP access on port 69/UDP to trusted IP addresses only
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate firmware to version 4.3.8 (for V4.X devices) or 5.6.0 (for V5.X devices) or later
Long-term hardening
0/2
HARDENINGImplement network segmentation: place RUGGEDCOM devices behind firewalls and isolate from business networks and Internet
HARDENINGUse secure remote access methods such as VPN when remote management is required
View full CISA ICS-CERT advisory
API: /api/v1/advisories/9ec7ae12-1165-4e2e-a2b3-92117cb938a0

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.