Siemens has shared recommendations for mitigating several medium and high severity vulnerabilities affecting some of the company’s RUGGEDCOM products.
Four types of security holes have been identified in RUGGEDCOM appliances running any version of ROX I (Rugged Operating System on Linux). The affected products are industrially hardened security appliances with integrated router, firewall and VPN functionality. They are used worldwide at electric utility substations, traffic control cabinets and in other harsh environments.
A majority of the vulnerabilities were discovered and reported by researcher Maxim Rupp, including cross-site scripting (XSS), path traversal, privilege escalation and cross-site request forgery (CSRF) issues. One XSS flaw was also discovered by Siemens itself.
Rupp has identified roughly 20 parameters that allow hackers to launch XSS attacks and execute arbitrary JavaScript code due to improper input validation (CVE-2017-2687). The expert has also identified a path traversal vulnerability (CVE-2017-2686) that can be exploited to read arbitrary files and possibly access sensitive information.
Learn More at the 2017 Singapore ICS Cyber Security Conference
Another flaw, described as a privilege escalation (CVE-2017-2689), can be exploited to bypass access restrictions and obtain privileged file system access or change configuration settings.
The security hole exists due to several issues related to improper access control mechanisms, missing checks for unrestricted file uploads, and server misconfigurations.
Rupp has also identified a CSRF vulnerability (CVE-2017-2688) that can be exploited to perform various actions on behalf of a logged-in user who is tricked into clicking on a malicious link. The researcher said an attacker can combine the CSRF with the privilege escalation flaw to access files on the host without access to the device’s web interface.
The vulnerabilities affect the web interface on port 10000/TCP and they either require the targeted user to click on a link, or the attacker needs to have network access and valid credentials in order to exploit them.
Advisories have been made available by ICS-CERT, Siemens and Rupp. While it hasn’t released any updates, Siemens has advised users to obtain a mitigation tool that can be used to disable the web interface and guest/operator accounts on the affected ROX I devices. The vendor also recommends limiting access to trusted admins, and using VPNs.
“As a general security measure Siemens strongly recommends to protect network access to the web interface at 10000/TCP of ROX I-based devices with appropriate mechanisms. It is advised to configure the environment according to our operational guidelines in order to run the devices in a protected IT environment,” Siemens said.
Related: Flaws Patched in Siemens RUGGEDCOM NMS Product
Related: High Severity Flaws Patched by Siemens, Schneider Electric
Related: Vulnerabilities Found in Siemens Desigo PX, SIMATIC Products