Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?



Recently Patched NTP Flaws Affect Siemens RUGGEDCOM Devices

Siemens’ RUGGEDCOM industrial communications devices are plagued by several recently patched network time protocol (NTP) vulnerabilities.

Siemens’ RUGGEDCOM industrial communications devices are plagued by several recently patched network time protocol (NTP) vulnerabilities.

According to advisories published by Siemens and ICS-CERT, the vulnerabilities impact devices running all versions of the ROX I rugged operating system and ROX II versions prior to 2.9.0. Siemens says the devices, which are used in harsh environments such as electric utility substations and traffic control cabinets, could be affected if they are configured to use the NTP daemon from for time synchronization.Ruggedcom NTP vulnerabilities

One of the vulnerabilities, which only affects ROX II-based RUGGEDCOM devices, is an authentication bypass issue (CVE-2015-7871) that can be exploited by an attacker to get the NTP daemon to accept time updates from nonspecified NTP servers by sending specially crafted UDP packets to the service.

Another flaw, described by ICS-CERT as an improper input validation issue (CVE-2015-7855), can be exploited by an attacker to crash the NTP daemon by sending specially crafted UDP packets.

Two other vulnerabilities, which according to Siemens affect only the NTP client, can be leveraged to prevent a device from fetching time updates from its configured time servers (CVE-2015-7704), and under certain circumstances modify the time on a device (CVE-2015-5300).

These security holes were identified by researchers at Cisco, IDA and Boston University.

Siemens has released firmware update 2.9.0 to address the flaws on ROX II devices. This update also patches the TLS vulnerability known as POODLE in ROX II devices.

As a workaround, the vendor recommends using firewalls to block NTP packets from unknown sources, and using NTP time synchronization only in trusted networks.

Users are also advised to ensure that the NTP configuration file contains the “noquery” flag for all nonlocal restrict statements, or deactivate the NTP service altogether if it’s not required.

Advertisement. Scroll to continue reading.

Siemens has also pointed out that the NTP service is deactivated by default on both RUGGEDCOM ROX I and ROX II devices.

“If NTP is activated by the user, the configuration on ROX II (starting from version 2.6.0) and ROX I (all versions) by default contain the ‘restrict default noquery’ configuration which mitigates vulnerability [CVE-2015-7855]. Any additional restrict commands for non-local addresses should also have the ‘noquery’ flag set,” Siemens said.

The vulnerabilities affecting Siemens RUGGEDCOM devices were among the dozen security holes patched by the Network Time Foundation’s NTP Project on October 21 with the release of ntp-4.2.8p4.

Related: Siemens Patches Vulnerabilities in SIPROTEC, SIMATIC, RUGGEDCOM Products

Related: Siemens Fixes Vulnerabilities in Several ICS Products

Related: Siemens Patches Vulnerability in RUGGEDCOM Switches

Learn More at the ICS Cyber Security Conference

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

Intelligent document processing company ABBYY has hired Clayton C. Peddy as CISO.

Digital executive protection services provider BlackCloak has appointed Ryan Black as CISO.

More People On The Move

Expert Insights