Full Report
The CLI feature in the web interface of RUGGEDCOM ROX II devices is vulnerable to cross-site request forgery (CSRF), which could allow an attacker to perform administrative actions if an authenticated user is tricked into accessing a malicious link. Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: CSRF in RUGGEDCOM ROX II Web Interface CLI
## CVE Details
- **CVE ID:** CVE-2020-28398
- **CVSS Score:**
- CVSS v3.1: 8.8 (High)
- CVSS v4.0: 8.6 (High)
- **CWE:** CWE-352 (Cross-Site Request Forgery)
## Affected Systems
- **Products:** Siemens RUGGEDCOM ROX II family, including:
- ROX MX5000 / MX5000RE
- ROX RX1400
- ROX RX1500 / RX1501 / RX1510 / RX1511 / RX1512
- **Versions:** All versions prior to V2.16.0.
- **Configurations:** Devices with the web interface and CLI feature enabled.
## Vulnerability Description
The Command Line Interface (CLI) feature within the web-based management interface of RUGGEDCOM ROX II devices does not sufficiently verify the origin of requests. An attacker can craft a malicious link or web page that, if visited by a currently authenticated administrative user, forces the user's browser to execute unauthorized commands on the device. Because the browser automatically includes authentication cookies, the device processes these requests as legitimate administrative actions.
## Exploitation
- **Status:** PoC available (CVSS Exploitability: Proof-of-Concept).
- **Complexity:** Low.
- **Attack Vector:** Network (Remote). Requires User Interaction (UI:R/A).
## Impact
- **Confidentiality:** High (Attacker can read device configurations).
- **Integrity:** High (Attacker can modify device configurations and perform administrative actions).
- **Availability:** High (Attacker could potentially disrupt services or shut down the device).
## Remediation
### Patches
Siemens recommends updating affected products to the following version or later:
- **RUGGEDCOM ROX II:** Update to **V2.16.0**
### Workarounds
- Access the web interface only from trusted networks.
- Ensure administrative users log out of the web interface immediately after use.
- Avoid browsing external websites or clicking links in a browser session while simultaneously logged into the RUGGEDCOM ROX II web interface.
## Detection
- **Indicators of Compromise:** Review device audit logs for unexpected configuration changes or administrative commands originating from the IP addresses of legitimate administrators at times they did not perform such actions.
- **Detection Methods:** Vulnerability scanners can identify the software version; manual inspection of web traffic for missing anti-CSRF tokens in CLI-related POST requests.
## References
- **Vendor Advisory:** hxxps://cert-portal.siemens[.]com/productcert/pdf/ssa-384652.pdf
- **Siemens Product Support:** hxxps://support.industry.siemens[.]com/cs/ww/en/view/109821187/
- **Industrial Security Guidelines:** hxxps://www.siemens[.]com/cert/operational-guidelines-industrial-security