Denial of Service Vulnerability in RUGGEDCOM ROS devices

Monitor5.3SSA-787941Nov 8, 2022

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

RUGGEDCOM ROS-based managed Ethernet switches are vulnerable to a Slowloris-style denial of service attack on the HTTP web management interface. An attacker can send continuous partial HTTP requests without completing them, exhausting all available connections and rendering the web management interface inaccessible. This prevents remote access to the switch for monitoring and configuration. The device recovers automatically once the attack stops. Siemens has released firmware updates for many variants but has prepared no fixes for products designated with "NC" (non-contact) or "F" (firewall) variants.

What this means

What could happen

An attacker can exhaust all available HTTP connections on the device by sending incomplete HTTP requests, making the web management interface unreachable and preventing remote monitoring and configuration of the switch until the attack stops.

Who's at risk

Water utilities and electric utilities using Siemens RUGGEDCOM ROS managed Ethernet switches (RS, RSG, RSL, RST, M, i, and RP series) for network infrastructure. These are industrial-grade switches used in utility SCADA networks, substations, and water treatment plant communications. Variants with "NC" or "F" designations have no fix available.

How it could be exploited

An attacker with network access to the device's HTTP port (typically port 80 or 443) sends a large number of partial HTTP requests and keeps them open without completing them. This ties up all available connection slots on the web server, preventing legitimate access to the management interface. The attack requires no credentials and the device recovers automatically when the attack ceases.

Prerequisites

Network access to HTTP/HTTPS port on the affected device
No authentication required

Remotely exploitableNo authentication requiredLow complexity attackAffects monitoring and control network availabilityMany variants have no patch available

Exploitability

Low exploit probability (EPSS 0.9%)

Affected products (152)

74 with fix78 pending

ProductAffected VersionsFix Status

RUGGEDCOM RS910NCAll versionsNo fix yet

RUGGEDCOM RS910W< 4.3.84.3.8

RUGGEDCOM RS920L< 4.3.84.3.8

RUGGEDCOM RS920LNCAll versionsNo fix yet

RUGGEDCOM RS920W< 4.3.84.3.8

Remediation & Mitigation

0/4

Do now

0/1

WORKAROUNDFor devices with no fix available (NC and F variants), implement network firewall rules to restrict HTTP/HTTPS access to the management interface to only authorized administrative networks

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate RUGGEDCOM ROS devices with V4.X firmware to version 4.3.8 or later

HOTFIXUpdate RUGGEDCOM ROS devices with V5.X firmware to version 5.6.0 or later

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate management access to these switches behind a secure administrative network

CVEs (1)

CVE-2022-39158

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/befd8437-f2e1-4559-8f7e-48f8da776e16