Full Report
RUGGEDCOM ROS-based devices are vulnerable to a denial of service attack (Slowloris). By sending partial HTTP requests nonstop, with none completed, the affected web servers will be waiting for the completion of each request, occupying all available HTTP connections. The web server recovers by itself once the attack ends. Siemens has released updates for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Denial of Service (Slowloris) in Siemens RUGGEDCOM ROS
## CVE Details
- **CVE ID:** CVE-2022-39158
- **CVSS Score:** 5.3 (Medium)
- **CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C
- **CWE:** CWE-400: Uncontrolled Resource Consumption
## Affected Systems
- **Products:** RUGGEDCOM ROS-based devices (RMC, RS, and RSG series)
- **Versions:**
- All versions prior to V5.6.0 for many models.
- Specific "NC" (No Crypto) versions are affected across all versions.
- **Configurations:** Devices with the HTTP/HTTPS web server enabled for management.
**Specific Affected Models:**
- RUGGEDCOM RMC8388 (V5.x)
- RUGGEDCOM RS416/RS416P (v2)
- RUGGEDCOM RS900 / RS900G (32M) (V5.x)
- RUGGEDCOM RSG907R, RSG908C, RSG909R
- **No Fix Planned (NC models):** RMC8388NC, RS416NC v2, RS416PNC v2, RS900GNC(32M), RS900NC(32M).
## Vulnerability Description
Affected RUGGEDCOM devices improperly handle partial HTTP requests, making them susceptible to a **Slowloris** attack. By sending a continuous stream of incomplete HTTP headers, an attacker can keep connection slots open indefinitely. Because the web server waits for these requests to complete, it eventually exhausts the maximum number of concurrent HTTP connections, preventing legitimate users from accessing the web management interface.
## Exploitation
- **Status:** Proof of Concept (PoC) available; categorized as "Exploitation Proven" (E:P) in the CVSS vector.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** Low (Web server is unresponsive during the attack but recovers automatically once the attack ceases).
## Remediation
### Patches
Siemens recommends updating to **ROS V5.6.0** or later for all supported hardware.
- Download link: hxxps://support.industry.siemens.com/cs/ww/en/view/109806156/
### Workarounds
For devices where no fix is planned or for those unable to update immediately:
- Disable the web-based management interface if not required.
- Use firewall rules or Access Control Lists (ACLs) to restrict access to port 80/TCP and 443/TCP to known, trusted IP addresses.
## Detection
- **Indicators of Compromise:** Inability to access the web management interface while the device remains responsive to other traffic (e.g., Ping, SNMP, or industrial protocols).
- **Detection Methods:** Monitor network traffic for a high volume of long-lived, incomplete HTTP GET/POST requests originating from a single source.
## References
- **Vendor Advisory:** hxxps://cert-portal.siemens.com/productcert/pdf/ssa-459643.pdf
- **Siemens ProductCERT:** hxxps://www.siemens.com/cert/advisories
- **CVSS Calculator:** hxxps://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C