CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
69.7%
**ATTENTION:**Remotely exploitable/low skill level to exploit.
Vendor: Siemens
Equipment: RUGGEDCOM ROX I
Vulnerabilities: Improper Authorization, Cross-Site Scripting, and Cross-Site Request Forgery
Siemens reports that the vulnerability affects the following RUGGEDCOM VPN endpoints and firewall devices:
These devices are affected by several vulnerabilities which could potentially allow attackers to perform actions with administrative privileges.
Siemens recommends the following mitigations:
<https://support.industry.siemens.com/cs/ww/en/view/109746106>
The mitigation tool for the affected ROX I-based products can be obtained from Siemens by doing one of the following:
<https://www.siemens.com/automation/support-request>
<https://w3.siemens.com/aspa_app/>
As a general security measure Siemens strongly recommends protecting network access to the web interface at Port 10000/TCP of ROX I-based devices with appropriate mechanisms and configuring the environment according to Siemensβ operational guidelines in order to run the devices in a protected IT environment:
<https://www.siemens.com/cert/operational-guidelines-industrial-security>
For more information on these vulnerabilities and detailed instructions, please see Siemens Security Advisory SSA-327980 at the following location:
<http://www.siemens.com/cert/advisories/>
NCCIC/ICS-CERT recommends that users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:
ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available in the ICSβCERT Technical Information Paper, ICS-TIP-12-146-01BβTargeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT web site.
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.
In addition, ICS-CERT recommends that users take the following measures to protect themselves from social engineering attacks:
No known public exploits specifically target these vulnerabilities.
An authenticated user could read arbitrary files through the web interface at Port 10000/TCP and access sensitive information.
CVE-2017-2686 has been assigned to this vulnerability. A CVSS v3 base score of 6.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).
The integrated web server at Port 10000/TCP is prone to reflected Cross-Site Scripting attacks if an unsuspecting user is induced to click on a malicious link.
CVE-2017-2687 has been assigned to this vulnerability. A CVSS v3 base score of 6.1 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
The integrated web server at Port 10000/TCP could allow remote attackers to perform actions with the privileges of an authenticated user, provided the targeted user has an active session and is induced to click on a malicious link or visits a malicious web site.
CVE-2017-2688 has been assigned to this vulnerability. A CVSS v3 base score of 7.6 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L).
An authenticated user could bypass access restrictions in the web interface at Port 10000/TCP to obtain privileged file system access or change configuration settings.
CVE-2017-2689 has been assigned to this vulnerability. A CVSS v3 base score of 8.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
The integrated web server at Port 10000/TCP could allow an authenticated user to perform stored Cross-Site Scripting attacks.
CVE-2017-6864 has been assigned to this vulnerability. A CVSS v3 base score of 6.4 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N).
Maxim Rupp reported these vulnerabilities directly to Siemens.
**Critical Infrastructure Sectors:**Energy, Healthcare, and Transportation
Countries/Areas Deployed: Worldwide
**Company Headquarters Location:**Germany
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2686
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2687
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2688
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-2689
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-6864
www.siemens.com/cert/advisories/
cisasurvey.gov1.qualtrics.com/jfe/form/SV_9n4TtB8uttUPaM6?product=https://www.cisa.gov/news-events/ics-advisories/icsa-17-087-01
cwe.mitre.org/data/definitions/285.html
cwe.mitre.org/data/definitions/285.html
cwe.mitre.org/data/definitions/352.html
cwe.mitre.org/data/definitions/79.html
cwe.mitre.org/data/definitions/80.html
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
support.industry.siemens.com/cs/ww/en/view/109746106
twitter.com/CISAgov
twitter.com/intent/tweet?text=Siemens%20RUGGEDCOM%20ROX%20I+https://www.cisa.gov/news-events/ics-advisories/icsa-17-087-01
w3.siemens.com/aspa_app/
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-17-087-01&title=Siemens%20RUGGEDCOM%20ROX%20I
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:L
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-17-087-01
www.oig.dhs.gov/
www.siemens.com/automation/support-request
www.siemens.com/cert/operational-guidelines-industrial-security
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Siemens%20RUGGEDCOM%20ROX%20I&body=www.cisa.gov/news-events/ics-advisories/icsa-17-087-01
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
69.7%