CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:S/C:C/I:C/A:C
EPSS
Percentile
80.7%
RuggedCom Rugged Operating System (ROS) contains a hard-coded user account with a predictable password.
RuggedCom Rugged Operating System (ROS), used in RuggedCom network infrastructure devices, contains a hard-coded user account named “factory
” that cannot be disabled. The password for this account is based on the device’s MAC address and can be reverse engineered easily (CWE-261: Weak Cryptography for Passwords).
ROS also supports HTTP(S) and ssh
services. In ROS 3.3.x, these services do not use the factory
account. ROS does not appear to log successful or unsuccessful login attempts for the factory
account.
More information is available in “Undocumented Backdoor Access to RuggedCom Devices” and RuggedCom’s security bulletin.
An attacker with knowledge of an ROS device’s MAC address may be able to gain complete administrative control of the device. The MAC address is displayed in the pre-authentication banner.
According to RuggedCom’s security bulletin, “Version 3.10.1 of the ROS® firmware with security related fixes will be released on Tuesday May 22, 2012 and can be obtained by emailing [email protected]. Other ROS® firmware versions containing the same security fixes (3.9.3, 3.8.5, 3.7.9 & 3.11.0) will be released over the next few weeks on a staggered basis as development and testing is completed.”
ICS-CERT Advisory ICSA-12-146-01A confirms that ROS version 3.10.1 is no longer affected, and that versions 3.9.3, 3.8.5, and 3.7.9 are now available.
Workarounds
ROS 3.3.x allows users to disable the rsh
service and set the number of allowed telnet
connections to 0. ROS 3.2.x does not alllow the rsh
or telnet
services to be disabled.
889195
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Notified: February 10, 2012 Updated: July 18, 2012
Affected
We have not received a statement from the vendor.
RuggedCom advises ROS 3.3.x users to disable the rsh
service and set the number of allowed telnet
connections to 0. This vulnerability is addressed in ROS versions 3.10.1, 3.9.3, 3.8.5, and 3.7.9.
Updated: April 24, 2012
Affected
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
RuggedCom was acquired by Siemens in March 2012.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23889195 Feedback>).
Group | Score | Vector |
---|---|---|
Base | 8.5 | AV:N/AC:M/Au:S/C:C/I:C/A:C |
Temporal | 7.3 | E:POC/RL:W/RC:C |
Environmental | 1.8 | CDP:ND/TD:L/CR:ND/IR:ND/AR:ND |
Thanks to Justin W. Clarke, an independent security researcher in San Francisco, California, for reporting this vulnerability. Thanks also to ICS-CERT for testing and additional coordination with RuggedCom.
This document was written by Michael Orlando and Art Manion.
CVE IDs: | CVE-2012-1803 |
---|---|
Date Public: | 2012-04-23 Date First Published: |
arstechnica.com/business/news/2012/04/backdoor-in-mission-critical-hardware-threatens-power-traffic-control-systems.ars
cwe.mitre.org/data/definitions/261.html
seclists.org/fulldisclosure/2012/Apr/277
www.ruggedcom.com/productbulletin/ros-security-page/
www.ruggedcom.com/products/index.php
www.ruggedcom.com/support/software/index.php
www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-116-01.pdf
www.us-cert.gov/control_systems/pdf/ICSA-12-146-01A.pdf
www.wired.com/threatlevel/2012/04/ruggedcom-backdoor/
www.us-cert.gov/control_systems/pdf/ICSA-12-146-01.pdf