OTPulse

Siemens RUGGEDCOM ROS

MonitorCVSS 5.3ICS-CERT ICSA-22-314-05Sep 13, 2022
Siemens
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

RUGGEDCOM ROS-based devices are vulnerable to a Slowloris denial of service attack on the web server. An attacker can send a continuous stream of incomplete HTTP requests to ports 80/TCP or 443/TCP, consuming all available web server connections and making the web interface unresponsive. The affected web server recovers automatically once the attack ends. This affects approximately 100 device variants across the RUGGEDCOM switch and router product families. Siemens has released firmware updates (version 4.3.8 for V4.X models, 5.6.0 for V5.X models) for standard variants, but non-configurable (NC) and factory-hardened (F) variants have no fix available.

What this means
What could happen
An attacker can flood a RUGGEDCOM device's web server with incomplete HTTP requests, consuming all available connections and making the web interface unavailable to legitimate users. The device recovers automatically once the attack stops, but the outage could disrupt remote monitoring or management of critical network infrastructure during the attack.
Who's at risk
Water utilities and electric providers using Siemens RUGGEDCOM ROS-based industrial Ethernet switches and routers for remote network access and management. These devices are deployed at substations, water treatment plants, and distribution networks to connect field devices and enable remote monitoring. The extensive product line includes i800, M2100, RP110, RS400/RS900/RS1600/RS8000 series, and RSG/RSL/RST series switches commonly used in utility SCADA networks.
How it could be exploited
An attacker with network access to the device's HTTP port (80 or 443) can send a continuous stream of partial HTTP requests using a Slowloris-style attack. Each request leaves a connection open without completing, until all available HTTP server connections are exhausted and the web interface becomes unresponsive.
Prerequisites
  • Network access to port 80/TCP or 443/TCP on the device
  • Web server must be enabled on the device (default configuration)
  • No authentication required to send HTTP requests
remotely exploitableno authentication requiredlow complexityaffects availability (denial of service)no patch available for NC (non-configurable) variants
Exploitability
Unlikely to be exploited — EPSS score 0.9%
Affected products (156)
76 with fix78 pending2 EOL
ProductAffected VersionsFix Status
RUGGEDCOM RS416Pv2< V5.6.05.6.0
RUGGEDCOM RS416v2< V5.6.05.6.0
RUGGEDCOM RS416NC v2All versionsNo fix (EOL)
RUGGEDCOM RS416PNC v2All versionsNo fix (EOL)
RUGGEDCOM i800< 4.3.84.3.8
Remediation & Mitigation
0/4
Do now
0/2
WORKAROUNDDisable the web server on RUGGEDCOM devices if the web interface is not required for operations
HARDENINGRestrict inbound access to ports 80/TCP and 443/TCP to only trusted engineering workstations or management networks
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate affected RUGGEDCOM devices to firmware version 4.3.8 (or 5.6.0 for V5.X models)
Mitigations - no patch available
0/1
The following products have reached End of Life with no planned fix: RUGGEDCOM RS416NC v2, RUGGEDCOM RS416PNC v2. Apply the following compensating controls:
HARDENINGPlace RUGGEDCOM devices behind a firewall and ensure they are not reachable from the Internet or untrusted networks
View full CISA ICS-CERT advisory
API: /api/v1/advisories/0eac3596-e659-40d6-aeb9-233f805010a7

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.