The dust still hasn’t cleared from revelations that many of RuggedCom brand networking products contain an easily-exploited back door account, and that it is working on a fix for the problem, according to a statement from Siemens, which recently bought RuggedCom.
“We are looking into all aspects of the situation,” said Siemens Industry spokesman Bob Bartels in an e-mail to Threatpost. “I hope that you and your readers understand that this often takes time to resolve”
Ruggedcom issued a bulletin to customers on April 27 saying that it was working on a fix for the problem – a company-supplied back door administrator account named “factory” that uses a password that can be easily derived just by knowing the machine address code (MAC) of the RuggedCom hardware.
The vulnerability, which was discovered by San Francisco independent security researcher Justin Clarke in 2011, affects RuggedCom Layer 2 Ethernet switches and serial to Ethernet converters running Version 3.2 and higher of the ROS firmware.
RuggedCom said in a statement Friday that it will release new versions of its ROS firmware in the “next few weeks” that will remove the undocumented factory account. It is also encouraging customers using versions of ROS earlier than 3.7 to update the firmware to a more recent version.
Clarke, the researcher who discovered the flaw, said that he had made “multiple attempts” to have Ruggedcom remove the back door account and notify customers of its existence. Ruggedcom was first notified in April, 2011 and acknowledged the existence of the account in July, 2011 and requested more time to notify customers on April 10, but did not indicate that the company would close the backdoor account and disable Telnet and RSH (remote shell) services by default. Those services were “on” by default in prior ROS releases and can be used to connect remotely to a RuggedCom device and determine its MAC address.
Clarke told Threatpost in a phone interview last week that initial conversations with staff at Ruggedcom left him hopeful that the vendor would address the security hole, but that the company “went dark” shortly after he revealed his findings to them. “I believed that magic was going to happen. I told them they had a back door. Now that they know its there, they’re going to fix it.”
Writing on the blog of Digital Bond, a consulting company that specializes in security audits for industrial controls systems, researcher Reid Wightman said that RuggedCom was addressing the symptoms of the problem, but not its cause.
“The disease, in this case, is a lack of a methodical development process that has any awareness of security. RuggedCom clearly does not include security as a part of its development lifecycle…This ‘developer backdoor’ made it into release. Nobody and no process at RuggedCom stopped it, and RuggedCom has no process to address security concerns in already-released products. They were not going to fix it at all until Justin went full disclosure,” he wrote.