Your one-stop web resource providing safety and security information to manufacturers

Siemens has a firmware update to handle double free, out-of-bounds read, and an uncontrolled resource consumption vulnerabilities in its RUGGEDCOM ROX II, according to a report with NCCIC.

Successful exploitation of these vulnerabilities could result in remote code execution and/or a denial-of-service condition.

RELATED STORIES
Fix is in for Out-of-Bounds Hole in Siemens Lines
Siemens Fixing DoS Issue with OPC UA
Omron Fixes CX-Programmer Hole
Another Fix for Rockwell’s Stratix, ArmorStratix

RUGGEDCOM ROX II: All versions prior to v2.13.0 suffer from the remotely exploitable vulnerabilities that Siemens self-reported.

In one vulnerability, the shipped version of the Quagga BGP daemon (bgpd) can double free memory when processing certain forms of UPDATE messages, containing cluster-list and/or unknown attributes. A successful attack could cause a denial of service or allow an attacker to execute arbitrary code.

Cyber Security

This vulnerability could be exploited by an attacker spoofing a malicious BGP UPDATE message within the network.

CVE-2018-5379 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.8.

In addition, the shipped version of the Quagga BGP daemon (bgpd) can overrun internal BGP code-to-string conversion tables used for debug by 1 pointer value, based on input.

The vulnerability could be exploited by an attacker spoofing a malicious BGP code-point. Successful exploitation requires the attacker to be in the position of a configured, trusted BGP peer.

CVE-2018-5380 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 4.3.

Also, the shipped version of the Quagga BGP daemon (bgpd) has a bug in its parsing of “Capabilities” in BGP OPEN messages. The parser can enter an infinite loop on invalid capabilities, causing a denial of service.

The vulnerability could be exploited by an attacker spoofing a malicious BGP OPEN message. Successful exploitation requires the attacker to be in the position of a configured, trusted BGP peer.

CVE-2018-5381 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 7.5.

The product sees use mainly in the energy, healthcare and public health, and transportation systems sectors. It also sees action on a global basis.

No known public exploits specifically target these vulnerabilities. However, an attacker with low skill level could leverage the vulnerabilities.

Siemens released firmware update v2.13.0 to fix these vulnerabilities. The firmware updates for RUGGEDCOM ROX-based devices can be obtained by contacting the RUGGEDCOM support team (login required):

Siemens identified the following specific workarounds and mitigations users can apply to reduce the risk:
• Disable the BGP routing service if not in use in your setup
• Configure BGP passwords to authenticate BGP neighbors

As a general security measure, Siemens recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to Siemens’ operational guidelines for Industrial Security, and following the recommendations in the product manuals.

Click here for additional information on Industrial Security by Siemens.

For more information on the vulnerabilities and more detailed mitigation instructions, please Siemens Security Advisory SSA-451142.

Pin It on Pinterest

Share This