Siemens RUGGEDCOM ROS

Monitor5.3ICS-CERT ICSA-22-314-05Nov 8, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

RUGGEDCOM ROS-based devices are vulnerable to a Slowloris denial of service attack on the web server. An attacker can send a continuous stream of incomplete HTTP requests to ports 80/TCP or 443/TCP, consuming all available web server connections and making the web interface unresponsive. The affected web server recovers automatically once the attack ends. This affects approximately 100 device variants across the RUGGEDCOM switch and router product families. Siemens has released firmware updates (version 4.3.8 for V4.X models, 5.6.0 for V5.X models) for standard variants, but non-configurable (NC) and factory-hardened (F) variants have no fix available.

What this means

What could happen

An attacker can flood a RUGGEDCOM device's web server with incomplete HTTP requests, consuming all available connections and making the web interface unavailable to legitimate users. The device recovers automatically once the attack stops, but the outage could disrupt remote monitoring or management of critical network infrastructure during the attack.

Who's at risk

Water utilities and electric providers using Siemens RUGGEDCOM ROS-based industrial Ethernet switches and routers for remote network access and management. These devices are deployed at substations, water treatment plants, and distribution networks to connect field devices and enable remote monitoring. The extensive product line includes i800, M2100, RP110, RS400/RS900/RS1600/RS8000 series, and RSG/RSL/RST series switches commonly used in utility SCADA networks.

How it could be exploited

An attacker with network access to the device's HTTP port (80 or 443) can send a continuous stream of partial HTTP requests using a Slowloris-style attack. Each request leaves a connection open without completing, until all available HTTP server connections are exhausted and the web interface becomes unresponsive.

Prerequisites

Network access to port 80/TCP or 443/TCP on the device
Web server must be enabled on the device (default configuration)
No authentication required to send HTTP requests

remotely exploitableno authentication requiredlow complexityaffects availability (denial of service)no patch available for NC (non-configurable) variants

Exploitability

Low exploit probability (EPSS 0.9%)

Affected products (152)

74 with fix78 pending

ProductAffected VersionsFix Status

RUGGEDCOM i800< 4.3.84.3.8

RUGGEDCOM i800NCAll versionsNo fix yet

RUGGEDCOM i801< 4.3.84.3.8

RUGGEDCOM i801NCAll versionsNo fix yet

RUGGEDCOM i802< 4.3.84.3.8

Remediation & Mitigation

0/4

Do now

0/2

WORKAROUNDDisable the web server on RUGGEDCOM devices if the web interface is not required for operations

HARDENINGRestrict inbound access to ports 80/TCP and 443/TCP to only trusted engineering workstations or management networks

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate affected RUGGEDCOM devices to firmware version 4.3.8 (or 5.6.0 for V5.X models)

Long-term hardening

0/1

HARDENINGPlace RUGGEDCOM devices behind a firewall and ensure they are not reachable from the Internet or untrusted networks

CVEs (1)

CVE-2022-39158

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/0eac3596-e659-40d6-aeb9-233f805010a7