Full Report
Multiple vulnerabilities affect the RUGGEDCOM Operating System (ROS). The common denominator to all vulnerabilities is the leak of confidential information. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Multiple Information Leakage and Privilege Assignment Flaws in RUGGEDCOM ROS
## CVE Details
- **CVE-2023-52237**: 8.8 (High) | CWE-497: Exposure of Sensitive System Information
- **CVE-2023-52238**: 4.3 (Medium) | CWE-200: Exposure of Sensitive Information
- **CVE-2024-38278**: 6.6 (Medium) | CWE-266: Incorrect Privilege Assignment
- **CVE-2024-39675**: 8.8 (High) | CWE-497: Exposure of Sensitive System Information
## Affected Systems
- **Products**: RUGGEDCOM ROS-based devices including i800, i801, i802, i803, M2100, M2200, M969, RMC30, RSG2100P, and various "NC" (No Crypto) variants.
- **Versions**:
- ROS V4.X family: All versions < V4.3.10
- ROS V5.X family: All versions < V5.9.0
- **Configurations**:
- CVE-2024-38278: Systems with IP forwarding enabled.
- CVE-2024-39675: Primarily affecting serial devices with Modbus enabled in non-managed VLANs.
- CVE-2023-52238: Systems utilizing MACSEC encryption.
## Vulnerability Description
This advisory covers four distinct security flaws within the RUGGEDCOM Operating System:
1. **System Information Leak (CVE-2023-52237/CVE-2024-39675)**: High-severity flaws where sensitive system information or services (specifically Modbus) are wrongly exposed in non-managed VLANs or to unauthorized control spheres.
2. **MACSEC Key Leak (CVE-2023-52238)**: The system leaks the MACSEC key in clear text to any logged-in user. Even a low-privileged user can retrieve this key to decrypt Ethernet frames.
3. **Unauthorized Remote Shell (CVE-2024-38278)**: An incorrect privilege assignment when IP forwarding is enabled allows remote services to become available in non-managed VLANs, potentially allowing an attacker to establish a remote shell.
## Exploitation
- **Status**: PoC available (indicated by "E:P" in CVSS vectors); no reports of exploitation in the wild at this time.
- **Complexity**: Low (most CVEs) to Medium (CVE-2024-38278).
- **Attack Vector**:
- Network: CVE-2023-52237, CVE-2023-52238, CVE-2024-38278
- Adjacent: CVE-2024-39675
## Impact
- **Confidentiality**: High (Leaking of MACSEC keys and system-wide sensitive information).
- **Integrity**: High (Potential for remote shell access and unauthorized Modbus control).
- **Availability**: High (Ability to disrupt services via unauthorized access).
## Remediation
### Patches
Siemens recommends updating to the following versions:
- **ROS V4.X users**: Update to **V4.3.10** or later.
- **ROS V5.X users**: Update to **V5.9.0** or later.
### Workarounds
For systems where patches cannot be immediately applied:
- Disable IP Forwarding if not required (Mitigates CVE-2024-38278).
- Restrict access to non-managed VLANs.
- Disable unused remote services and Modbus services if not strictly necessary.
- Ensure the principle of least privilege for user accounts to limit MACSEC key exposure.
## Detection
- **Indicators of Compromise**: Monitor for unauthorized logins, unexpected remote shell connections, or Modbus traffic originating from non-managed VLANs.
- **Methods**: Audit device configuration for enabled IP forwarding and check user permission logs. Siemens ProductCERT provides ongoing advisories for monitoring these flaws.
## References
- Siemens Advisory SSA-170375: hxxps://cert-portal[.]siemens[.]com/productcert/html/ssa-170375[.]html
- Siemens Support (Firmware Downloads): hxxps://support[.]industry[.]siemens[.]com/cs/ww/en/view/109972218/
- Siemens ProductCERT: hxxps://www[.]siemens[.]com/cert/advisories