RuggedCom released a new version of the Rugged Operating System (ROS) v3.12 which fixes security issues found in previous versions.
Coming on the heels of the release of the vulnerabilities, RuggedCom said the efforts to implement the improvements in functionality, reliability and security were considerably more than originally estimated as was the complexity of required changes. That is why RuggedCom decided to package this upgrade version of ROS as a major release designated as ROS 3.12.
The new version adds new features, including:
Advanced security for default keys: The ROS main firmware binary contains renewed default SSH keys and SSL certificates for SSH and SSL management access. These objects end up encrypted using strong cryptography and otherwise obfuscated within the binary file.
New SSL certificates and SSH keys can now generate via ROS or can upload to ROS by the administrator: ROS can generate SSL certificates and SSH keys by itself. Alternatively, the administrator can upload SSL certificates and SSH keys at any time, as required.
It is possible to disable guest and operator users: By configuring the user-name as an empty string, the default user with the ROS guest and operator access roles/privileges ends up disabled.
Support for multi-homed, dual port IEDs: Port security enhancements for multi-homed IEDs
Given the extent and complexity of the changes, it is not possible to back port these upgrades to previous versions of ROS, officials said. Users who want to implement the security updates will have to download and standardize on ROS 3.12.
As reported back in September, there was a hard-coded RSA SSL private key within RuggedCom’s Rugged Operating System (ROS). The vulnerability with proof-of-concept (PoC) exploit code first came out from security researcher Justin W. Clarke of Cylance Inc. According to this report, the remotely exploitable vulnerability can decrypt SSL traffic between an end user and a RuggedCom network device and result in a loss of system integrity.
After ICS-CERT notified them of the vulnerability, further analysis by RuggedCom found similar holes in the ROX (ROX I and ROX II) operating system firmware and the RuggedMax operating system firmware. A fix for the identified vulnerability in ROX is available. For the SSH service of RuggedMax, an interim mitigation for the identified vulnerability is also available.
The following products suffer from the issue:
• Devices using the ROS releases before and including ROS Main v3.11.0.
• ROX I OS firmware used by RX1000 and RX1100 series products. ROX I versions before and including ROX v1.14.5 are affected.
• ROX II OS firmware used by RX5000 and RX1500 series products. ROX II versions before and including ROX v2.3.0 are affected.
• RuggedMax Operating System Firmware used by the Win7000 and Win7200 base station units and the Win5100 and Win5200 subscriber (CPE) devices. All versions of the firmware released before and including 220.127.116.1121.22.
Clarke previously reported an attacker can identify the RSA Private PKI key for SSL communication between a client/user and a RuggedCom switch in the ROS. An attacker could use the key to decrypt management traffic and create malicious communication to a RuggedCom network device.