OTPulse

Siemens RUGGEDCOM ROS

Plan PatchCVSS 9.1ICS-CERT ICSA-23-222-12Aug 8, 2023
Siemens
Attack path
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

A vulnerability in Siemens RUGGEDCOM ROS devices with mirror port enabled allows an attacker to inject information into the network via the mirror port. The vulnerability affects industrial Ethernet switches and managed switch products across multiple RUGGEDCOM series (i800, M2100, M2200, RS400, RS900, RS1600, RS8000, RSG2100, RSG2200, RSG2300, RSG2488, and others). Siemens has released firmware updates for some affected products and is preparing further updates. For products without planned fixes, specific countermeasures are recommended.

What this means
What could happen
An attacker with network access to a RUGGEDCOM switch's mirror port could inject crafted network traffic to deceive monitoring or diagnostic tools, potentially masking malicious activity or causing false alarms that could trigger automated responses. This could disrupt situational awareness of the industrial network or lead to unintended control actions if triggered by monitoring systems.
Who's at risk
Water utilities and electric cooperatives using Siemens RUGGEDCOM industrial Ethernet switches for network segmentation and monitoring in substations, control centers, and water treatment facilities. The vulnerability affects dozens of RUGGEDCOM models used in critical infrastructure networking. Organizations relying on mirror ports for network visibility, intrusion detection, or packet capture for forensics are at risk of having that visibility compromised.
How it could be exploited
An attacker must be on the network segment connected to or able to reach the RUGGEDCOM switch's mirror port. They would inject specially crafted network packets into the mirrored traffic stream, which could alter the data observed by network monitoring tools, packet capture systems, or other devices monitoring the mirror port.
Prerequisites
  • Network access to the mirror port of the RUGGEDCOM device
  • Mirror port feature enabled on the switch
  • Device running vulnerable firmware version (varies by model; most versions before 4.3.8 or 5.8.0)
Remotely exploitableNo authentication requiredLow complexity exploitationNo patch available for many product variants (end-of-life models)Affects network visibility and monitoring integrity
Exploitability
Unlikely to be exploited — EPSS score 0.2%
Affected products (156)
118 with fix38 pending
ProductAffected VersionsFix Status
RUGGEDCOM i800< 4.3.84.3.8
RUGGEDCOM i800NC< 4.3.84.3.8
RUGGEDCOM i801< 4.3.84.3.8
RUGGEDCOM i801NC< 4.3.84.3.8
RUGGEDCOM i802< 4.3.84.3.8
Remediation & Mitigation
0/5
Do now
0/2
WORKAROUNDFor products with no planned fix (M969F, M2100F, M2200F, RS400 series, RS401 series, RS416F, RS416PF, RS900 M88E6083 variants, RS900F, RS900GF, RS900GPF, RS900L M88E6083, RS900LNC M88E6083, RS1600 series, RS8000 series, RSG2100F, RSG2100PF, RSG2200F, RSG2300F, RSG2300PF, RSG2488F, RS940GF), implement network access controls to restrict physical or network access to the mirror port
WORKAROUNDIf mirror port functionality is not required, disable the mirror port feature on affected RUGGEDCOM devices
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

RUGGEDCOM i800
HOTFIXUpdate RUGGEDCOM i800, i801, i802, i803, M969, M2100, M2200, RMC30, RP110, RS416, RS900, RS910, RS920, RS930, RS940, RS969, RSG2100, RSG2200 series devices to firmware version 4.3.8 or later
RUGGEDCOM RS900 (32M) V4.X
HOTFIXUpdate RUGGEDCOM RMC8388, RS416NCv2, RS416PNCv2, RS416Pv2, RS900 (32M variants), RS900GNC (32M variants), RSG2100 (32M variants), RSG2100PNC (32M variants), RSG2200, RSG2288, RSG2300, RSG2300P, RSG2488, RSL910, RST916, RST2228 devices running firmware V5.X to version 5.8.0 or later
Long-term hardening
0/1
HARDENINGSegment the network so that mirror ports are only accessible from trusted monitoring or diagnostic systems; restrict untrusted network segments from reaching the mirror port
View full CISA ICS-CERT advisory
API: /api/v1/advisories/2fa3a260-2c2b-4c84-ab4b-54147446790b

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.

Siemens RUGGEDCOM ROS | CVSS 9.1 - OTPulse