Weak Encryption Vulnerability in RUGGEDCOM ROS Devices

Monitor6.7SSA-764417Mar 8, 2022

Attack VectorAdjacent

Auth RequiredNone

ComplexityHigh

User InteractionRequired

Summary

The SSH server on RUGGEDCOM ROS devices is configured to offer weak ciphers by default. This allows an unauthorized attacker in a man-in-the-middle position to read and modify any data passed over the SSH connection between legitimate clients and the affected device. Siemens has released firmware updates (V4.3.8 for 4.x series, V5.7.0 for 5.x series) to address this vulnerability.

What this means

What could happen

An attacker positioned on your network could intercept and modify SSH traffic to RUGGEDCOM devices, potentially allowing them to eavesdrop on management commands or alter configuration changes sent to your network switches and routers.

Who's at risk

This affects operators of Siemens RUGGEDCOM industrial Ethernet switches and routers (i800/i801/i802/i803, M969, M2100/M2200, RMC30/RMC8388, RP110, RS400/RS401/RS416 series, RS900 series, RS910/RS920/RS930/RS940/RS969, RS1600 series, RS8000 series, RSG2100/RSG2200/RSG2288/RSG2300 series, and RSG/RSL/RST series). These are typically used in electrical substations, water treatment facilities, and other critical infrastructure for network management and control.

How it could be exploited

An attacker on your network performs a man-in-the-middle (MITM) attack on SSH connections to vulnerable RUGGEDCOM devices. Because the device offers weak SSH ciphers by default, the attacker can decrypt the encrypted session and read or modify commands sent between your engineering workstation and the device.

Prerequisites

Network access to SSH port 22 on the RUGGEDCOM device (typically port 22)
Position on the network path between the client and device (MITM position)
User must initiate an SSH connection to the vulnerable device

remotely exploitable from networkman-in-the-middle attack vectoraffects device management accessweak cryptography by default

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (74)

74 with fix

ProductAffected VersionsFix Status

RUGGEDCOM i800< 4.3.84.3.8

RUGGEDCOM i801< 4.3.84.3.8

RUGGEDCOM i802< 4.3.84.3.8

RUGGEDCOM i803< 4.3.84.3.8

RUGGEDCOM M969< 4.3.84.3.8

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDRestrict SSH access to RUGGEDCOM devices to trusted management networks using firewall rules or access control lists

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate RUGGEDCOM ROS devices running firmware version 4.x to version 4.3.8 or later

HOTFIXUpdate RUGGEDCOM ROS devices running firmware version 5.x to version 5.7.0 or later

Long-term hardening

0/1

HARDENINGSegment RUGGEDCOM management traffic onto a dedicated engineering network separate from general IT and production networks

CVEs (1)

CVE-2021-37209

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/8117e6b0-5d22-44a6-bad4-7635838dfac9