Full Report
The latest update for RUGGEDCOM ROS devices fixes a buffer overflow vulnerability in the third party component that could allow an attacker with network access to an affected device to cause a remote code execution condition. Siemens has released updates for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Buffer Overflow in RUGGEDCOM ROS DHCP Client
## CVE Details
- **CVE ID:** CVE-2021-31895
- **CVSS Score:** 8.1 (High)
- **CWE:** CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
## Affected Systems
- **Products:** RUGGEDCOM ROS-based devices (switches and serial-to-Ethernet devices).
- **Versions:**
- RUGGEDCOM ROS V4.X family (including i800, i801, i802, i803, M2100, M2200, M969, RMC30, RMC8388)
- All versions prior to V4.3.7 are affected.
- Specific models added in updates: RS416P, RS416Pv2, RS1600, RS1600F, RS1600T, RSG2100PNC (32M), and RST2228P.
- **Configurations:** Devices utilizing the DHCP client component to receive network configurations.
## Vulnerability Description
The internal DHCP client in affected RUGGEDCOM ROS devices fails to properly sanitize incoming DHCP packets. This "Classic Buffer Overflow" occurs when the length of the input data is not validated before being copied into memory. An attacker can send specially crafted DHCP responses to overwrite memory addresses.
## Exploitation
- **Status:** PoC available (indicated by CVSS "Exploit Code Maturity: Functional" [E:F]). No mention of active exploitation in the wild in the advisory.
- **Complexity:** High (Requires specific timing/positioning to intercept/provide DHCP responses).
- **Attack Vector:** Network (Unauthenticated).
## Impact
- **Confidentiality:** High (Potential for Remote Code Execution/data access).
- **Integrity:** High (Potential for unauthorized system modification).
- **Availability:** High (Potential for device crash or total takeover).
## Remediation
### Patches
- **RUGGEDCOM ROS V4.X:** Update to version **V4.3.7** or later.
- Downloads can be found at: hxxps[:]//support[.]industry[.]siemens[.]com/cs/ww/en/view/109799880/
### Workarounds
- **Disable DHCP:** If possible, use static IP configurations to prevent the DHCP client from processing malicious packets.
- **Network Segmentation:** Restrict DHCP traffic to trusted segments or implement DHCP snooping on intermediate switches to block unauthorized DHCP server responses.
## Detection
- **Indicators of Compromise:** Unexpected device reboots, memory corruption errors in system logs, or unauthorized DHCP traffic originating from non-standard servers.
- **Detection methods:** Use Intrusion Detection Systems (IDS) to monitor for malformed DHCP options or oversized DHCP packets targeted at RUGGEDCOM devices.
## References
- **Vendor Advisory:** SSA-373591
- **Siemens ProductCERT:** hxxps[:]//cert-portal[.]siemens[.]com/productcert/pdf/ssa-373591[.]pdf
- **Industrial Security Guidelines:** hxxps[:]//www[.]siemens[.]com/cert/operational-guidelines-industrial-security