OTPulse
FeedAboutContact

Mirror Port Isolation Vulnerability in RUGGEDCOM ROS Devices

Act Now9.1SSA-908185Aug 8, 2023
Attack VectorNetwork
Auth RequiredNone
ComplexityLow
User InteractionNone needed
Summary

A vulnerability in RUGGEDCOM ROS devices with mirror port enabled allows an attacker to inject arbitrary information into the network via the mirror port without proper isolation. An attacker with network access could insert malicious packets that will be forwarded through the mirrored port to connected devices. The issue affects numerous RUGGEDCOM switch models across multiple product families (i800, M, RMC, RS, RSG, RSL, RST series).

What this means
What could happen
An attacker can inject arbitrary network traffic into your network through a mirror port on these switches, potentially allowing them to spoof network traffic, poison network communications, or disrupt critical process controls by inserting malicious packets.
Who's at risk
Water authorities and electric utilities using Siemens RUGGEDCOM ROS industrial Ethernet switches for network infrastructure, particularly those with mirror port (port mirroring/SPAN) enabled for network monitoring or diagnostics. Affects all RUGGEDCOM switch families including i800, M series, RMC, RS, RSG, RSL, and RST models.
How it could be exploited
An attacker with network access to the device can send crafted packets to the mirror port, which will be forwarded to the mirrored port without proper isolation, allowing the injected traffic to reach critical devices like PLCs or field instruments on your control network.
Prerequisites
  • Network access to the RUGGEDCOM switch
  • Mirror port must be enabled and configured on the device
  • No authentication required to exploit the mirror port isolation weakness
Remotely exploitableNo authentication requiredLow complexity attackAffects network-level connectivity to critical control devicesLarge number of products with no fix available
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (156)
118 with fix38 pending
ProductAffected VersionsFix Status
RUGGEDCOM i800< 4.3.84.3.8
RUGGEDCOM i800NC< 4.3.84.3.8
RUGGEDCOM i801< 4.3.84.3.8
RUGGEDCOM i801NC< 4.3.84.3.8
RUGGEDCOM i802< 4.3.84.3.8
Remediation & Mitigation
0/4
Do now
0/1
WORKAROUNDFor products with no available fix (M969F, M2100F, M2200F, RS400 series, RS401 series, RS416F, RS416PF, RS900F, RS900L all versions, RS900LNC all versions, RS940GF, RS1600 series, RS8000 series, RSG2100F, RSG2100PF, RSG2200F, RSG2300F, RSG2300PF, RSG2488F), disable mirror port functionality until vendor provides a patch or consider network segmentation to isolate these devices
Schedule — requires maintenance window
0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade affected RUGGEDCOM ROS devices running V4.X firmware to version 4.3.8 or later
HOTFIXUpgrade affected RUGGEDCOM ROS devices running V5.X firmware to version 5.8.0 or later
Long-term hardening
0/1
HARDENINGSegment the network so that RUGGEDCOM switches carrying critical control traffic are isolated from untrusted networks or administrative interfaces
View full Siemens ProductCERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/29731426-3da0-451c-80f6-ffb96a7fe7e2
Mirror Port Isolation Vulnerability in RUGGEDCOM ROS Devices | CVSS 9.1 - OTPulse