Security Experts:

Recently Patched NTP Flaws Affect Siemens RUGGEDCOM Devices

Siemens’ RUGGEDCOM industrial communications devices are plagued by several recently patched network time protocol (NTP) vulnerabilities.

According to advisories published by Siemens and ICS-CERT, the vulnerabilities impact devices running all versions of the ROX I rugged operating system and ROX II versions prior to 2.9.0. Siemens says the devices, which are used in harsh environments such as electric utility substations and traffic control cabinets, could be affected if they are configured to use the NTP daemon from ntp.org for time synchronization.Ruggedcom NTP vulnerabilities

One of the vulnerabilities, which only affects ROX II-based RUGGEDCOM devices, is an authentication bypass issue (CVE-2015-7871) that can be exploited by an attacker to get the NTP daemon to accept time updates from nonspecified NTP servers by sending specially crafted UDP packets to the service.

Another flaw, described by ICS-CERT as an improper input validation issue (CVE-2015-7855), can be exploited by an attacker to crash the NTP daemon by sending specially crafted UDP packets.

Two other vulnerabilities, which according to Siemens affect only the NTP client, can be leveraged to prevent a device from fetching time updates from its configured time servers (CVE-2015-7704), and under certain circumstances modify the time on a device (CVE-2015-5300).

These security holes were identified by researchers at Cisco, IDA and Boston University.

Siemens has released firmware update 2.9.0 to address the flaws on ROX II devices. This update also patches the TLS vulnerability known as POODLE in ROX II devices.

As a workaround, the vendor recommends using firewalls to block NTP packets from unknown sources, and using NTP time synchronization only in trusted networks.

Users are also advised to ensure that the NTP configuration file contains the “noquery” flag for all nonlocal restrict statements, or deactivate the NTP service altogether if it’s not required.

Siemens has also pointed out that the NTP service is deactivated by default on both RUGGEDCOM ROX I and ROX II devices.

“If NTP is activated by the user, the configuration on ROX II (starting from version 2.6.0) and ROX I (all versions) by default contain the ‘restrict default noquery’ configuration which mitigates vulnerability [CVE-2015-7855]. Any additional restrict commands for non-local addresses should also have the ‘noquery’ flag set,” Siemens said.

The vulnerabilities affecting Siemens RUGGEDCOM devices were among the dozen security holes patched by the Network Time Foundation’s NTP Project on October 21 with the release of ntp-4.2.8p4.

Related: Siemens Patches Vulnerabilities in SIPROTEC, SIMATIC, RUGGEDCOM Products

Related: Siemens Fixes Vulnerabilities in Several ICS Products

Related: Siemens Patches Vulnerability in RUGGEDCOM Switches

Learn More at the ICS Cyber Security Conference

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.