Buffer Vulnerabilities in DHCP function of RUGGEDCOM ROX products
Plan Patch8.8SSA-406691Mar 8, 2022
Attack VectorAdjacent
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary
A buffer overflow vulnerability exists in the ISC DHCP component used by RUGGEDCOM ROX devices. When the DHCP client reads a stored lease file containing malformed option information, a buffer overrun can occur, potentially leading to device denial-of-service or remote code execution.
What this means
What could happen
An attacker could crash a RUGGEDCOM ROX switch or execute arbitrary code on it by sending a crafted DHCP response or by placing a malicious lease file on the device. This could disrupt network connectivity and control system communication in your industrial network.
Who's at risk
Operators of industrial networks using RUGGEDCOM ROX switches for OT connectivity should prioritize patching. This includes water utilities, electric utilities, and other critical infrastructure relying on Siemens ROX switches for ruggedized network access and control system interconnection. The MX5000 and RX-series devices are commonly deployed in harsh environments for plant connectivity.
How it could be exploited
An attacker on the local network segment (or with access to the DHCP server) sends a crafted DHCP lease response or plants a malicious DHCP lease file on the device. When the DHCP client parses the stored lease with a specially crafted option field, the buffer overflow is triggered in the ISC DHCP library, leading to a crash or code execution with device privileges.
Prerequisites
- Local network access to the same network segment as the RUGGEDCOM ROX device
- DHCP client enabled on the device
- Device running affected firmware versions (V2.3.0 through V2.14.x, or earlier for RX1400/RX1524/RX1536)
remotely exploitable (via malicious DHCP lease)no authentication required to send DHCP trafficaffects network switches critical to OT connectivitybuffer overflow with potential for code executionlow complexity attack
Exploitability
Low exploit probability (EPSS 0.5%)
Affected products (10)
10 with fix
ProductAffected VersionsFix Status
RUGGEDCOM ROX MX5000≥ V2.3.0 and < V2.15.02.15.0
RUGGEDCOM ROX RX1400< V2.15.02.15.0
RUGGEDCOM ROX RX1500≥ V2.3.0 and < V2.15.02.15.0
RUGGEDCOM ROX RX1501≥ V2.3.0 and < V2.15.02.15.0
RUGGEDCOM ROX RX1510≥ V2.3.0 and < V2.15.02.15.0
RUGGEDCOM ROX RX1511≥ V2.3.0 and < V2.15.02.15.0
RUGGEDCOM ROX RX1512≥ V2.3.0 and < V2.15.02.15.0
RUGGEDCOM ROX RX1524< V2.15.02.15.0
Remediation & Mitigation
0/3
Do now
0/1WORKAROUNDIf immediate patching is not possible, restrict DHCP traffic to trusted DHCP servers using network firewall rules or ACLs on upstream switches
Schedule — requires maintenance window
0/1Patching may require device reboot — plan for process interruption
HOTFIXUpdate all affected RUGGEDCOM ROX devices to firmware version 2.15.0 or later
Long-term hardening
0/1HARDENINGIsolate RUGGEDCOM ROX devices on a separate VLAN with restricted access from untrusted network segments to limit DHCP exposure
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/5df5336c-9427-4a83-aa02-b83864f7006d