Siemens ICS Switches Hit With Buffer Overflow, Authentication Bugs

There are a number of serious vulnerabilities in the Siemens Ruggedcom WIN switches, including a remotely exploitable buffer overflow and a flaw that could allow an attacker to take actions on the device without authentication.

The vulnerabilities affect several models of the Ruggedcom WIN switches, including WIN51xx all versions prior to SS4.4.4624.35, WIN52xx: all versions prior to SS4.4.4624.35, WIN70xx: all versions prior to BS4.4.4621.32 and WIN72xx: all versions prior to BS4.4.4621.32. The Ruggedcom WIN switches are designed for use in private wide-area wireless networks. They serve as base stations and subscriber units and the switches are used in a number of industries, including communications, defense, manufacturing, dams and energy.

One of the more serious vulnerabilities in the switches could give an attacker the ability to take actions on the vulnerable switches without authentication.

“The integrated management service might allow attackers to perform administrative operations over the network without prior authentication,” the advisory from ICS-CERT says. 

The buffer overflow n the Ruggedcom WIN gear lies in the Web server that runs on the switches.

“The integrated web server (Port 443/TCP) of the affected devices is vulnerable to a buffer overflow that might allow remote code execution,” the advisory says.

There is also a condition in the Siemens firmware that results in sensitive information, such as passwords, being stored in an insecure format that an attacker could be able to access. Siemens has patched the vulnerability in an updated version of the firmware.

In addition to the three vulnerabilities in the Ruggedcom WIN switches, ICS-CERT also is warning users about a flaw in the Siemens Scalance-X switches, which are used to connect programmable logic controllers or human-machine interfaces.

“The device’s web server could allow unauthenticated attackers to impersonate legitimate users of the web interface (Port 80/TCP and Port 443/TCP) if an active web session of an authenticated user exists at the time of attack,” the advisory says.

Suggested articles