Siemens RUGGEDCOM ROS

Act Now9.6ICS-CERT ICSA-22-069-12Mar 8, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Multiple vulnerabilities affect third-party components in the RUGGEDCOM Operating System (ROS). These include issues in the web server (CWE-79 cross-site scripting, CWE-208 observable timing discrepancy, CWE-358 improperly restricted operations within bounds of memory buffer, CWE-122 heap-based buffer overflow, CWE-190 integer overflow, CWE-754 improper check for unusual or exceptional conditions). An attacker could cause denial-of-service, perform man-in-the-middle attacks, retrieve sensitive information, or gain privileged functions on affected RUGGEDCOM devices.

What this means

What could happen

An attacker with network access to the web interface or TFTP service on affected RUGGEDCOM devices could disrupt operations by triggering a denial-of-service, intercept traffic between the device and management systems, steal configuration or credential data, or potentially execute commands with elevated privileges on the network device.

Who's at risk

Organizations operating Siemens RUGGEDCOM managed industrial switches and routers used in utility and critical infrastructure networks should prioritize this advisory. This affects network devices deployed in electric distribution, water/wastewater treatment, and other SCADA/ICS environments where remote management, VPN termination, or network redundancy is provided by RUGGEDCOM devices. Impact is particularly acute for sites with multiple unfixed products (all F-series variants and some legacy hardware) where workarounds will be the only mitigation option.

How it could be exploited

An attacker would send a crafted HTTP request to the web server (port 80/443) or TFTP request (port 69/UDP) on an affected RUGGEDCOM device reachable from the network. No credentials or special user interaction are typically required to trigger the underlying vulnerability in the third-party components.

Prerequisites

Network access to affected RUGGEDCOM device on port 80, 443 (web), or port 69/UDP (TFTP)
No authentication required for exploitation of web server or TFTP vulnerabilities
Affected firmware version must be running on the device

Remotely exploitableNo authentication requiredLow complexity exploitationHigh impact (DoS, information disclosure, privilege escalation)Multiple fixed and unfixed product variantsNo patch available for several product linesDefault or minimal configuration exposure in managed switch scenarios

Exploitability

Low exploit probability (EPSS 0.6%)

Affected products (152)

136 with fix16 pending

ProductAffected VersionsFix Status

RUGGEDCOM RMC30NC< 4.3.84.3.8

RUGGEDCOM RMC8388 V4.X< 4.3.84.3.8

RUGGEDCOM RMC8388 V5.X< 5.6.05.6.0

RUGGEDCOM RMC8388NC V4.X< 4.3.84.3.8

RUGGEDCOM RMC8388NC V5.X< 5.6.05.6.0

Remediation & Mitigation

0/5

Do now

0/2

WORKAROUNDFor devices with no fix available (RS400F, M969F, M2100F, M2200F, RS416F, RS416PF, RS900F, RS900GF, RS900GPF, RSG2100F, RSG2100PF, RSG2200F, RSG2300F, RSG2300PF, RSG2488F): restrict web server access to ports 443/TCP and 22/TCP from trusted IP addresses only

WORKAROUNDRestrict TFTP access on port 69/UDP to trusted IP addresses only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate firmware to version 4.3.8 (for V4.X devices) or 5.6.0 (for V5.X devices) or later

Long-term hardening

0/2

HARDENINGImplement network segmentation: place RUGGEDCOM devices behind firewalls and isolate from business networks and Internet

HARDENINGUse secure remote access methods such as VPN when remote management is required

CVEs (6)

CVE-2021-37208 CVE-2021-42016 CVE-2021-42017 CVE-2021-42018 CVE-2021-42019 CVE-2021-42020

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/9ec7ae12-1165-4e2e-a2b3-92117cb938a0