Siemens RUGGEDCOM ROX II

Plan Patch8.8ICS-CERT ICSA-24-347-03Dec 10, 2024

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

RUGGEDCOM ROX II web interface is vulnerable to cross-site request forgery (CSRF) in the CLI feature. An attacker can trick an authenticated user into clicking a malicious link to perform unauthorized administrative actions on the device, such as modifying settings, disabling services, or changing network configuration. The vulnerability affects all RUGGEDCOM ROX II models running firmware prior to version 2.16.0.

What this means

What could happen

An attacker can trick an authenticated operator into clicking a malicious link, allowing the attacker to perform administrative actions (like changing settings, stopping services, or altering network configuration) on the RUGGEDCOM router without the operator's knowledge.

Who's at risk

Siemens RUGGEDCOM ROX II industrial routers used in water utilities, electric utilities, and other critical infrastructure for secure remote site connectivity and WAN management. Specifically affects the MX5000, RX1400, RX1500, RX1501, RX1510, RX1511, RX1512, RX1524, and RX5000 series devices.

How it could be exploited

An attacker sends a phishing email or hosts a malicious website containing a crafted link. If an authenticated operator clicks the link while logged into the RUGGEDCOM web interface, the browser silently sends a request to perform administrative actions on the device. The attacker exploits the lack of CSRF tokens to execute commands without the user's awareness.

Prerequisites

Operator must be logged into the RUGGEDCOM web interface
Operator must click a link controlled by the attacker (via email, web page, or chat)
The RUGGEDCOM device must be reachable from the operator's network or the internet

remotely exploitablerequires user interactionaffects network infrastructure and could disrupt connectivity

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (11)

11 with fix

ProductAffected VersionsFix Status

RUGGEDCOM ROX MX5000<V2.16.02.16.0

RUGGEDCOM ROX MX5000RE<V2.16.02.16.0

RUGGEDCOM ROX RX1400<V2.16.02.16.0

RUGGEDCOM ROX RX1500<V2.16.02.16.0

RUGGEDCOM ROX RX1501<V2.16.02.16.0

RUGGEDCOM ROX RX1510<V2.16.02.16.0

RUGGEDCOM ROX RX1511<V2.16.02.16.0

RUGGEDCOM ROX RX1512<V2.16.02.16.0

Remediation & Mitigation

0/5

Do now

0/1

WORKAROUNDWhile authenticated in the web interface, only access links from trusted sources and be cautious of unexpected links in email or messages

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpdate RUGGEDCOM ROX II devices to firmware version 2.16.0 or later

Long-term hardening

0/3

HARDENINGRestrict network access to RUGGEDCOM web interface to authorized management networks only using firewall rules

HARDENINGRequire VPN access for remote management of RUGGEDCOM devices

HARDENINGSegment OT network from corporate IT network to limit lateral movement if a workstation is compromised

CVEs (1)

CVE-2020-28398

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/2aca4a5d-d629-4f22-be8b-03ad19be01db