This advisory is a follow-up to the alert titled ICS-ALERT-12-116-01A RuggedCom Weak Cryptography for Password Vulnerability that was published April 27, 2012, on the ICS-CERT web page.
Independent researcher Justin W. Clarke identified a default backdoor user account with a weak password encryption vulnerability in the RuggedCom Rugged Operating System (ROS). RuggedCom has produced new firmware versions that resolve the reported vulnerability.
ICS-CERT has tested the new versions to confirm that they resolve the vulnerability. This vulnerability could be remotely exploited. Exploits that target this vulnerability are known to be publicly available.
RuggedCom RuggedSwitch or RuggedServer devices are affected using the following versions of ROS:
• 3.2.x and earlier, and
• 3.3.x and above
An attacker can use a simple publicly available script to generate the default password and gain administrative access to the unit.
Impact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.
RuggedCom makes network equipment that is intended for deployment in harsh environments. Their products can be found in applications such as traffic control systems, railroad communications systems, power plants, electrical substations, and military sites.
Beyond Layer 2 and Layer 3 networking, these devices are also used for serial-to-ip conversation in SCADA systems, and they support MODBUS and DNP3 protocols.
WEAK CRYPTOGRAPHY FOR PASSWORDS: An undocumented backdoor account exists within all released versions of RuggedCom’s ROS. The username for the account, which cannot be disabled, is “factory,” and its password is dynamically generated based on the device’s MAC address.
CVE-2012-1803 has been assigned to this vulnerability. A CVSS v2 base score of 8.5 has been assigned; the CVSS vector string is (AV:N/AC:M/Au:S/C:C/I:C/A:C).
EXPLOITABILITY: This vulnerability is exploitable remotely.
EXISTENCE OF EXPLOIT: Public exploits are known to target this vulnerability.
DIFFICULTY: An attacker with a low skill level would be able to exploit this vulnerability.
Version 3.10.1 of the ROS firmware with security-related fixes is now available and can be obtained from RuggedCom technical support at email@example.com. Other ROS firmware versions containing the same security fixes (3.9.3, 3.8.5, 3.7.9, and 3.11.0) will be released over the next few weeks on a staggered basis as development and testing is completed.
RuggedCom will release a product bulletin to notify customers when each of the new versions is available. To address security issues, the following changes are included in all the new ROS firmware versions:
• removal of factory account as referenced in ICS-ALERT-12-116-01A and NERC Alert A-2012-05-07-01,
• change default condition of insecure communication services to disabled,
• improve security for user account password storage,
• detection and alarm for weak password strength, and
• removal of device information from standard login banner.
Note: These new versions of the ROS firmware remove the factory account and the associated security vulnerability. Customers using these new versions of the firmware should take special care not to lose the user defined password to a device’s administrative account as recovering from a lost administrative password will now require physical access to the device to reset the passwords.
RuggedCom recommends that customers using ROS versions older than v3.7 upgrade to a newer version. If this is not possible, RuggedCom has indicated that they will address updates to older versions of the firmware on a case-by-case basis.
Siemens has issued security advisory “SSA-826381: Multiple Security Vulnerabilities in RuggedCom ROS-based Devices” regarding this vulnerability. It can be found on the Siemens ProductCERT advisory Web page.
The full ICS-CERT advisory can be found here: