All version of Siemens RUGGEDCOM ROX I VPN endpoints and firewall devices sport five vulnerabilities that can be exploited by attackers to perform actions with administrative privileges.
The announcement was made via advisories both by Siemens and the US ICS-CERT, and the discovery of four of the five vulnerabilities credited to security researcher Maxim Rupp, of German cybersecurity services firm Cure53.
RUGGEDCOM ROX-based devices are used to connect devices that operate in harsh environments such as electric utility substations and traffic control cabinets, and are deployed by organizations in the energy, healthcare, and transportation industries across the world.
The vulnerabilities affect the devices’ web interface and integrated web server (both at port 10000/TCP), some are remotely exploitable, and they don’t require attackers to possess a high skill level.
By taking advantage of the flaws, attackers could access sensitive information, perform actions with the privileges of an authenticated user, change configuration settings, and perform Cross-Site Scripting (XSS) attacks.
Two of the vulnerabilities can be triggered by tricking users into clicking on a malicious link, although there are some other conditions that have to be met in order for the exploit to work, namely that a privileged session is open in the same browser.
A set of solutions for the issues
No patches for the issues have been offered, and there is no indication they will be.
Still, Siemens has offered a number of mitigations that should remove all risk, and they include:
- Using a provided mitigation tool to disable the web interface and guest and operator accounts
- Restricting access to the devices to trusted administrators only
- Applying cell protection (as defined in Siemens’s operational guidelines for Industrial Security)
- Using VPN for protecting network communication between cells
- Applying Defense-in-Depth principles, and
- Protecting network access to the web interface with appropriate mechanisms.