Siemens RUGGEDCOM ROS Devices

Plan Patch7.5ICS-CERT ICSA-23-222-08Aug 8, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

A denial of service vulnerability in the web server of Siemens RUGGEDCOM network devices allows an unauthorized attacker to cause total loss of web server availability. When exploited, the vulnerability exhausts resources and prevents the device from accepting new connections, rendering it unmanageable until restarted. The vulnerability affects industrial Ethernet switches and routers in the RUGGEDCOM i8xx, M-series, RMC, RP, RS, RSG, and RSL product lines running firmware versions prior to 4.3.8 (V4.X) or 5.8.0 (V5.X). Siemens has released firmware updates for most products but has not provided fixes for end-of-life variants marked with the F suffix.

What this means

What could happen

An attacker can crash the web server on RUGGEDCOM network switches and routers, rendering them unable to accept new connections and leaving you without remote management or network access to that device until it recovers or is rebooted.

Who's at risk

Water utilities and electric utilities operating Siemens RUGGEDCOM industrial network switches and managed Ethernet routers. These devices are commonly used for network connectivity in substations, water treatment plants, and distribution systems. Affected models include the RS/RSG/M/i8xx/RMC series used for industrial networking in critical infrastructure.

How it could be exploited

An attacker with network access to the web server interface of a vulnerable RUGGEDCOM device can send a specially crafted request that exhausts system resources, causing the web server to stop responding. The device remains on the network but becomes unmanageable until restarted.

Prerequisites

Network access to the RUGGEDCOM device's web server port (typically port 80/443)
No authentication required
Device must be running a vulnerable firmware version

Remotely exploitable without authenticationLow attack complexityNo patch available for multiple product variants (end-of-life models)Affects network infrastructure that supports control system operations

Exploitability

Low exploit probability (EPSS 0.3%)

Affected products (152)

136 with fix16 pending

ProductAffected VersionsFix Status

RUGGEDCOM i803NC< 4.3.84.3.8

RUGGEDCOM M969< 4.3.84.3.8

RUGGEDCOM M969FAll versionsNo fix yet

RUGGEDCOM M969NC< 4.3.84.3.8

RUGGEDCOM M2100< 4.3.84.3.8

Remediation & Mitigation

0/4

Do now

0/2

RUGGEDCOM RS900 (32M) V4.X

WORKAROUNDFor devices with no fix planned (all variants of M969F, M2100F, M2200F, RS400F, RS416F, RS416PF, RS900F, RS900GF, RS900GPF, RS940GF, RSG2100F, RSG2100PF, RSG2200F, RSG2300F, RSG2300PF, RSG2488F) or no fix available (RMC8388 V5.X, RS416 v2 variants, RS900 32M V5.X, RSG2100 32M V5.X, RSG2300 variants with V5.X), restrict network access to the web server port using firewall rules or access control lists

All products

WORKAROUNDDisable the web server on RUGGEDCOM devices if remote web-based management is not required for operations

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate firmware to version 4.3.8 or later (for V4.X devices) or version 5.8.0 or later (for V5.X and newer devices)

Long-term hardening

0/1

HARDENINGSegment RUGGEDCOM network switches and routers on a dedicated management network separate from field devices and production traffic

CVEs (1)

CVE-2023-39269

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/da773ff6-3bd9-4941-a5c0-66e024119e10