Siemens created a firmware patch to mitigate multiple vulnerabilities in the RuggedCom Rugged OS (ROS), according to a report on ICS-CERT.
Leveraging these remotely exploitable vulnerabilities could permit an attacker to hijack an active Web session and access administrative functions on the devices without proper authorization or allow unprivileged users perform privilege escalation.
RuggedCom devices with ROS firmware version prior to v3.12.2 suffer from the issue.
RuggedCom is a unit within Siemens, which is an international company headquartered in Munich, Germany. Siemens develops products mainly in the energy, healthcare and public health sectors, and transportation systems.
The affected products, RuggedCom switches and serial-to-Ethernet devices, connect devices that operate in harsh environments such as electric utility substations and traffic control cabinets.
The RuggedCom ROS-based integrated Web server on Port 443/TCP of the affected devices might allow attackers to guess the session ID of an active Web session and hijack it. The attacker must know the client IP address of the administrator.
CVE-2013-6925 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 8.3.
The RuggedCom ROS-Based integrated Web server on Port 443/TCP of the affected devices might allow attackers with unprivileged accounts (guest or operator) perform limited administrative operations over the network.
CVE-2013-6926 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 8.0.
While no known public exploits specifically target these vulnerabilities, an attacker with a low to moderate skill would be able to exploit these vulnerabilities.
The update, RuggedCom ROS V3.12.2, resolves the vulnerabilities. Asset owners and operators should contact Siemens customer support to acquire the update.
Click here to view the Siemens security advisory.
Siemens update information you can email the RuggedCom support team.