Siemens Fixes RUGGEDCOM Holes

Wednesday, December 23, 2015 @ 10:12 AM gHale


Siemens created firmware updates to mitigate NTP daemon vulnerabilities in its RUGGEDCOM ROX-based devices, according to a report on ICS-CERT.

These vulnerabilities are remotely exploitable.

RELATED STORIES
Schneider Fixes Modicon Vulnerability
No Updates for MOSCAD Issues
Most eWON Vulnerabilities Mitigated
No Fixes for Adcon Telemetry A840 Holes

The following Siemens RUGGEDCOM ROX versions suffer from issues when NTP service ends up activated:
• ROX II: All versions prior to 2.9.0
• ROX I: All versions

By default the NTP service is deactivated on ROX I and ROX II-based devices.

An attacker exploiting these vulnerabilities could cause the NTP daemon to accept malicious time updates, prevent it from receiving updates, or crash.

Siemens is an international company headquartered in Munich, Germany.

The affected products, Siemens RUGGEDCOM ROX-based devices, end up used to connect devices that operate in harsh environments such as electric utility substations and traffic control cabinets. RUGGEDCOM ROX-based devices see action across several sectors including energy, healthcare and public health, and transportation systems. Siemens estimates that these products see use worldwide.

An attacker could potentially make the NTP daemon accept time updates from nonspecified NTP servers by sending specially crafted UDP packets to the NTP service (Port 123/UDP).

CVE-2015-7871 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.

An attacker could potentially crash the NTP daemon by sending specially crafted UDP packets to the NTP service (Port 123/UDP).

CVE-2015-7855 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 2.2.

An attacker could potentially prevent the device from fetching time updates from its configured time servers by sending specially crafted UDP packets to the NTP service (Port 123/UDP) while the NTP daemon is running.

CVE-2015-7704 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 5.3.

An attacker could potentially modify the time on the device by sending specially crafted UDP packets to the NTP service (Port 123/UDP) under certain circumstances.

CVE-2015-5300 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 3.7.

No known public exploits specifically target these vulnerabilities. An attacker with a low skill would be able to exploit these vulnerabilities.

The NTP service comes deactivated on ROX I and ROX II-based devices by default.

Siemens provides firmware update V2.9.0 for ROX II-based devices to mitigate the vulnerabilities. Click here to obtain the firmware update.

Here is a local hotline center.

For ROX I-based devices and ROX II versions before ROX 2.9.0, Siemens recommends implementing the following mitigations:
• Block NTP packets from unknown peers using firewall rules
• Employ NTP time synchronization in trusted network only
• Ensure the NTP configuration file contains the “noquery” flag for all nonlocal restrict statements, or deactivate NTP service if the functionality does not end up required
• Configure NTP authentication and configure the “notrust” flag for all nonlocal restrict statements on the NTP configuration (only applies to ROX II)

For more information on these vulnerabilities and detailed instructions, click here to see Siemens Security Advisory SSA-472334.