RuggedCom produced new firmware that resolves a default backdoor user account with a weak password encryption vulnerability in the Rugged Operating System (ROS).
ICS-CERT tested the new firmware versions and confirmed they resolve the vulnerability, first identified by independent researcher Justin W. Clarke. This vulnerability is remotely exploitable and attacks that target this vulnerability are publicly available.
RuggedCom RuggedSwitch or RuggedServer devices that use ROS versions 3.2.x and earlier, and 3.3.x and above suffer from the issue.
An attacker can use a simple publicly available script to generate the default password and gain administrative access to the unit.
RuggedCom makes network equipment for deployment in harsh environments. Their products can are in applications such as traffic control systems, railroad communications systems, power plants, electrical substations, and military sites. Beyond Layer 2 and Layer 3 networking, these devices also see use in serial-to-ip conversation in SCADA systems, and they support MODBUS and DNP3 protocols.
An undocumented backdoor account exists within all released versions of RuggedCom’s ROS. The username for the account, which a user cannot disable, is “factory” enabled, and its password is dynamically generated based on the device’s MAC address. CVE-2012-1803 is the number assigned to this vulnerability, which has a CVSS v2 base score of 8.5.
Version 3.10.1 of the ROS firmware with security-related fixes is now available from RuggedCom technical support at email@example.com. Other ROS firmware versions containing the same security fixes (3.9.3, 3.8.5, 3.7.9, and 3.11.0) will release over the next few weeks on a staggered basis as development and testing wraps up. RuggedCom will release a product bulletin to notify customers when each of the new versions is available.
To address security issues, the following changes are in all the new ROS firmware versions:
• Removal of factory account
• Change default condition of insecure communication services to disabled
• Improve security for user account password storage
• Detection and alarm for weak password strength
• Removal of device information from standard login banner.
The new versions of the ROS firmware remove the factory account and the associated security vulnerability. Customers using these new versions of the firmware should take special care not to lose the user defined password to a device’s administrative account as recovering from a lost administrative password will now require physical access to the device to reset the passwords.
RuggedCom, owned and operated by Siemens, recommends that customers using ROS versions older than v3.7 upgrade to a newer version. If this is not possible, RuggedCom has indicated they will address updates to older versions of the firmware on a case-by-case basis.
Siemens issued security advisory “SSA-826381: Multiple Security Vulnerabilities in RuggedCom ROS-based Devices” regarding this vulnerability.