Update Siemens industrial VPN and firewall appliances used in severe environments remain unpatched after an advisory from ICS-CERT on Tuesday disclosed that a number of serious vulnerabilities exist in the gear.
Siemens has made a number of recommendations for workarounds, but it’s unknown whether any of the RUGGEDCOM products will be patched since some of the models identified have been end of life for more than a year. A request for comment from Siemens was not returned in time for publication.
“On March 28, 2017, Siemens issued Security Advisory SSA-327980 and released a tool to resolve all 5 issues affecting RUGGEDCOM ROX I devices,” a Siemens representative told Threatpost. “Siemens will update the advisory when new information becomes available.”
Researcher Maxim Rupp privately disclosed five vulnerabilities to the vendor, and said there are no public exploits in circulation for any of the bugs, however, he said that an attacker with relatively low skill level could exploit the issues.
Rupp said that Siemens RUGGEDCOM ROX I-based RX1000 devices running firmware version ROX1.16.1 and Webmin 1.160-2.rr880, are affected.
“An authenticated, malicious remote user with low skills would be able to compromise the availability, integrity, and confidentiality of the Siemens RX1000 industrial device. The router effectively becomes an entry point into the network where it is located,” Rupp said in an advisory. “Successful exploitation of these vulnerabilities could significantly lower the security of the network area where the affected device is located. Impact to individual organizations depends on many factors that are unique to each organization.”
These devices are used in so-called “harsh environments,” Siemens said, such as electric utility substations and traffic control cabinets.
Rupp said that two of the five vulnerabilities are most severe: an unrestricted file upload issue, and a server misconfiguration.
Rupp said he found two serious misconfigurations: one where the webserver fails to protect directory contents and publicly lists private data; and another where all running processes are executed from a root account.
“Using this weakness a malicious user gains significant access to further compromise the infrastructure,” Rupp said. “The ability to sniff or modify network traffic allows for multiple attacks, such as DoS, MitM, or session hijacking. This could put other devices that are located in the same network as a RX1000 device under threat.”
Rupp said that the file upload vulnerability results from a missing verification of uploaded content, and an absence of restrictions for accessing uploaded user data, meaning an attacker could upload malicious code unobstructed.
“This allows an attacker to drop scripts in the Webroot in order to execute arbitrary commands on the target host. Specifying the directory to upload was not strictly determined by the application but produced on client-side, which allows to control endpoints for file upload functionality,” Rupp said. “This issue is found in the affected scenario of the application which was available to users with limited access rights. As a consequence, an attacker is able to use this weakness to gain access to other internal hosts.”
Rupp also reported other issues, including an improper neutralization of input during webpage generation where 20 malicious inputs were processed without validation of special characters such as less-than signs or quote marks.
“These special characters will be interpreted as web-scripting elements that are processed by the browser. This leads to a possible implementation of Cross-Site Scripting attack (XSS). The XSS attack allows malicious user to execute arbitrary JavaScript code in a benign user’s browsing context and thereby get access to sensitive data,” Rupp said.
Rupp also found a path traversal vulnerability that allows an authenticated user to read arbitrary files through a web interface and access sensitive information, and a cross-site request forgery issue accessible through the same interface at TCP port 10000.
This article was updated March 29 with a comment from Siemens.