Siemens RUGGEDCOM ROS

Monitor5.3ICS-CERT ICSA-22-258-03Sep 13, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

RUGGEDCOM ROS-based industrial network devices are vulnerable to Slowloris denial-of-service attacks. By sending incomplete HTTP requests continuously to the web interface (port 80/443), an attacker can exhaust all available HTTP connections, preventing legitimate administrative access. The web server recovers once the attack ends. Affected devices include RMC8388, RS416 variants, RS900 variants, RSG2100, RSG2200 variants, RSG2300 variants, RSG2400 variants, RSG900 variants, RSL910, and RST9x6/RST2228 variants. Siemens has released updates to version 5.6.0 or later for patchable models. NC (non-patchable/end-of-life) variants cannot be updated.

What this means

What could happen

An attacker can flood the web interface of RUGGEDCOM devices with incomplete HTTP requests, exhausting all available connections and temporarily blocking legitimate administrative access. The device recovers automatically once the attack stops, but during the attack, operators cannot manage the device remotely through the web interface.

Who's at risk

Water utilities, electric utilities, and other critical infrastructure operators using Siemens RUGGEDCOM ROS industrial network switches and routers for field networking and remote management. Both patchable versions and end-of-life products are affected. Network operators managing field devices over long-distance WAN links are particularly dependent on web-based remote management.

How it could be exploited

An attacker on the network sends a continuous stream of partial HTTP requests (Slowloris attack) to port 80 or 443. The web server holds each incomplete request open, waiting for completion. Once all available HTTP connections are consumed, no new connections can be established, including legitimate admin connections.

Prerequisites

Network access to port 80/tcp or 443/tcp on the affected device
No authentication required

remotely exploitableno authentication requiredlow complexityaffects network availabilitymultiple products have no fix available (end-of-life)Slowloris attack technique is well-known and publicly documented

Exploitability

Low exploit probability (EPSS 0.9%)

Affected products (32)

20 with fix12 pending

ProductAffected VersionsFix Status

RUGGEDCOM RMC8388 V5.X<V5.6.05.6.0

RUGGEDCOM RMC8388NC V5.XAll versionsNo fix yet

RUGGEDCOM RS416NC v2All versionsNo fix yet

RUGGEDCOM RS416PNC v2All versionsNo fix yet

RUGGEDCOM RS416Pv2<V5.6.05.6.0

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDRestrict network access to port 80/tcp and 443/tcp to only trusted administrative IP addresses using firewall rules

WORKAROUNDDisable the web server on affected devices if remote web management is not required

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate affected RUGGEDCOM ROS devices to version 5.6.0 or later (applies to RMC8388, RS416v2, RS416Pv2, RS900, RS900G, RSG907R, RSG908C, RSG909R, RSG910C, RSG920P, RSG2100, RSG2288, RSG2300, RSG2300P, RSG2488, RSL910, RST916C, RST916P, RST2228, RST2228P)

Long-term hardening

0/1

HARDENINGIsolate RUGGEDCOM devices behind firewalls and ensure they are not directly accessible from the Internet or untrusted networks

CVEs (1)

CVE-2022-39158

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/63aa5035-1fd1-4c47-a285-87a6fffaae00