Vulnerability in RUGGEDCOM Discovery Protocol (RCDP) of Industrial Communication Devices

Plan Patch8.8SSA-856721Sep 28, 2017

Attack VectorAdjacent

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

The RUGGEDCOM RCDP (RUGGEDCOM Discovery Protocol) on RUGGEDCOM ROS-based devices and certain SCALANCE X managed switches is not properly configured by default after commissioning. This allows unauthenticated remote users in the same adjacent network to perform administrative operations on the device, such as modifying network settings, changing configurations, or disrupting communications. An attacker must be on the same network segment and the RCDP daemon must be enabled. The vulnerability affects a wide range of RUGGEDCOM industrial routers and SCALANCE switches used in manufacturing and infrastructure networks. Siemens has released patched firmware versions for all affected products.

What this means

What could happen

An attacker on the same network segment could perform administrative operations on RUGGEDCOM or SCALANCE devices without authentication, potentially modifying network settings, stopping communications, or altering critical infrastructure configurations.

Who's at risk

Industrial communication devices in manufacturing environments, specifically: RUGGEDCOM industrial routers (i800, i801, i802, i803, M969, M2100, M2200, RMC30, RMC8388, RP110, RS400/RS401/RS416/RS900/RS910/RS920/RS930/RS940/RS969/RS1600/RS8000 series and RSG/RSL/RST variants) and SCALANCE X managed switches (XB, XC, XF, XM, XP, XR series). These are used in factory automation, utility control systems, and critical infrastructure networks.

How it could be exploited

An attacker with access to the same network segment sends unauthenticated RCDP (RUGGEDCOM Discovery Protocol) messages to a device where the RCDP daemon is enabled and not properly configured. The attacker can then issue administrative commands to modify device settings or disable network functionality.

Prerequisites

Access to the same adjacent network segment as the vulnerable device
RCDP daemon enabled on the target device
Target device running a firmware version below the patched version

Remotely exploitable from adjacent networkNo authentication required for exploitationLow attack complexityAffects network infrastructure devices that control critical communicationsLarge number of devices across multiple product lines

Exploitability

Low exploit probability (EPSS 0.1%)

Affected products (247)

247 with fix

ProductAffected VersionsFix Status

RUGGEDCOM i800< 4.3.44.3.4

RUGGEDCOM i800NC< 4.3.44.3.4

RUGGEDCOM i801< 4.3.44.3.4

RUGGEDCOM i801NC< 4.3.44.3.4

RUGGEDCOM i802< 4.3.44.3.4

Remediation & Mitigation

0/8

Do now

0/1

WORKAROUNDDisable or restrict the RCDP daemon on RUGGEDCOM and SCALANCE devices if administrative discovery is not required for operations

Schedule — requires maintenance window

0/5

Patching may require device reboot — plan for process interruption

RUGGEDCOM i800

HOTFIXUpdate RUGGEDCOM i800/i801/i802/i803/M969/M2100/M2200/RMC30/RP110/RS400/RS401/RS416/RS900/RS910/RS920/RS930/RS940/RS969/RS1600/RS8000/RSG2100/RSG2200/RSG2288/RSG2300/RSG2488 devices to firmware version 4.3.4 or later

RUGGEDCOM RMC8388 V4.X

HOTFIXUpdate RUGGEDCOM RMC8388 V4.X/RS416NCv2 V4.X/RS416Pv2 V4.X/RS416v2 V4.X/RS900(32M) V4.X/RS900G(32M) V4.X/RS900GNC(32M) V4.X/RSG920P V4.X/RSG920PNC V4.X/RSG2100(32M) V4.X/RSG2100NC(32M) V4.X/RSG2100P(32M) V4.X/RSG2100PNC(32M) V4.X/RSG2288 V4.X/RSG2288NC V4.X/RSG2300 V4.X/RSG2300NC V4.X/RSG2300P V4.X/RSG2300PNC V4.X/RSG2488 V4.X/RSG2488NC V4.X devices to firmware version 4.3.4 or later

RUGGEDCOM RMC8388 V5.X

HOTFIXUpdate RUGGEDCOM RMC8388 V5.X/RS416NCv2 V5.X/RS416Pv2 V5.X/RS416v2 V5.X/RS900(32M) V5.X/RS900G(32M) V5.X/RS900GNC(32M) V5.X/RSG907R/RSG908C/RSG909R/RSG910C/RSG920P V5.X/RSG920PNC V5.X/RSG2100(32M) V5.X/RSG2100NC(32M) V5.X/RSG2100P(32M) V5.X/RSG2100PNC(32M) V5.X/RSG2288 V5.X/RSG2288NC V5.X/RSG2300 V5.X/RSG2300NC V5.X/RSG2300P V5.X/RSG2300PNC V5.X/RSG2488 V5.X/RSG2488NC V5.X/RSL910/RSL910NC/RST916C/RST916P/RST2228/RST2228P devices to firmware version 5.0.1 or later

SCALANCE XC206-2G PoE EEC (54 V DC)

HOTFIXUpdate SCALANCE XC206-2G PoE EEC (54 V DC)/XC206-2SFP/SIPLUS NET SCALANCE XC206-2/SIPLUS NET SCALANCE XC206-2SFP/SIPLUS NET SCALANCE XC208/SIPLUS NET SCALANCE XC216-4C and other SCALANCE XB/XC/XF/XP/XR switches with firmware version 3.0.x to version 3.0.2 or later

All products

HOTFIXUpdate SCALANCE XR526-8C/XR528-6M/XR552-12M/XM408-4C/XM408-8C/XM416-4C devices with firmware version 6.1.0 to version 6.1.1 or later

Long-term hardening

0/2

HARDENINGImplement network segmentation to isolate RUGGEDCOM and SCALANCE devices from untrusted network segments

HARDENINGMonitor network traffic for unauthorized RCDP discovery protocol messages targeting your devices

CVEs (1)

CVE-2017-12736

View full Siemens ProductCERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/444aaba4-83b1-433a-bba8-dbb5f40f5ca5