Hole in Older RuggedCom Versions

Wednesday, September 2, 2015 @ 01:09 PM gHale

There is an IP forwarding vulnerability in older versions of Siemens RUGGEDCOM ROS and Siemens recommends updating to the latest version to mitigate this vulnerability, according to a report on ICS-CERT.

This vulnerability, discovered by Stephen Craven of the Tennessee Valley Authority (TVA), is remotely exploitable.

Innominate Mitigates mGuard Hole
Siemens Fixes SIMATIC S7-1200 Hole
Moxa Fixes Buffer Overflows
E+H HART Device DTM Hole Fixed

Siemens said the vulnerability affects RUGGEDCOM ROS versions between 3.8.0 and 4.2.0.

ROS on the following products not affected:
• RMC products
• RP110
• RS950G

An attacker in one VLAN could possibly circumvent VLAN isolation and communicate with devices in another VLAN if IP addresses are configured on both VLANs.

Siemens is an international company headquartered in Munich, Germany.

The affected products, Siemens RUGGEDCOM ROS-based devices, connect devices that operate in harsh environments such as electric utility substations and traffic control cabinets. RUGGEDCOM ROS-based devices see action across several sectors including energy, healthcare and public health, and transportation systems. Siemens estimates that these products see use worldwide.

The ROS operating system for layer 2 switches include IP forwarding capabilities that cannot be deactivated by users. This may allow an attacker in one VLAN to possibly circumvent VLAN isolation and communicate with devices in another VLAN if IP addresses are configured on both VLANs.

CVE-2015-6675 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 4.3.

No known public exploits specifically target this vulnerability. However, an attacker with a medium skill would be able to exploit this vulnerability.

Firmware versions since ROS 4.2.0 provide an option to disable IP forwarding. Siemens recommends users update to the latest firmware version. Users can obtain free firmware updates for the affected products from the following:
Submit a support request online.

Call a local hotline center.

If users do not want IP forwarding between VLANs in their configuration, then they need to disable IP forwarding after updating to the new firmware according to the instructions in the user guide. The following link leads to the ROS user guide.

Until a user can update the firmware to the latest version, he or she can remove IP addresses from the VLAN.

For more information on this vulnerability and detailed instructions, see Siemens Security Advisory SSA-720081.