Full Report
Ruggedcom Rox before v2.17.1 contain multiple third-party vulnerabilities. Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Multiple Third-Party Vulnerabilities in Ruggedcom Rox
## CVE Details
- **CVE ID:** CVE-2025-49794, CVE-2025-49796 (Critical); CVE-2025-7425, CVE-2025-6020 (High); and others (see full list in advisory).
- **CVSS Score:** 9.8 (Critical) - Maximum base score identified for the cumulative advisory.
- **CWE:** Multiple, including CWE-825 (Expired Pointer Dereference), CWE-125 (Out-of-bounds Read), CWE-121 (Stack-based Buffer Overflow), and CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer).
## Affected Systems
- **Products:**
- RUGGEDCOM ROX II family
- RUGGEDCOM ROX MX5000
- **Versions:** All versions before v2.17.1
- **Configurations:** Systems utilizing third-party components including libxml2, libxslt, GNU C Library (glibc), Linux PAM, Das U-Boot, and net-tools.
## Vulnerability Description
Ruggedcom ROX relies on several third-party software libraries and utilities that contain security flaws. The most critical vulnerabilities reside in **libxml2**:
- **CVE-2025-49794:** A use-after-free flaw during XPath parsing when using XML schematrons.
- **CVE-2025-49796:** Memory corruption when processing specific `sch:name` elements, leading to Out-of-bounds reads.
- **CVE-2024-46333:** An out-of-bounds access in the **QEMU** Virtio-Net component.
- **CVE-2025-46836:** A stack-based buffer overflow in **net-tools** (ifconfig) via `/proc/net/dev` parsing.
## Exploitation
- **Status:** Not currently reported as exploited in the wild; however, several CVEs have known technical details that could facilitate PoC development.
- **Complexity:** Ranges from Low to High depending on the specific CVE.
- **Attack Vector:** Various (Network, Local, and Physical). Critical libxml2 flaws (CVE-2025-49794/6) are exploitable via the **Network**.
## Impact
- **Confidentiality:** High (Potential for memory disclosure and sensitive data access).
- **Integrity:** High (Potential for unauthorized message tampering and memory corruption).
- **Availability:** High (Risk of DoS via system crashes, stack overflows, or heap corruption).
## Remediation
### Patches
- **Update to Ruggedcom ROX v2.17.1 or later.** Siemens has released these versions to specifically address the identified third-party vulnerabilities.
### Workarounds
- Siemens has not provided specific functional workarounds for these vulnerabilities. Users are strongly advised to apply the firmware update.
- General best practice: Ensure the device is only accessible via trusted networks and restrict access to management interfaces.
## Detection
- **Indicators of Compromise:** Unexpected system reboots, service crashes (specifically networking or XML processing services), or unauthorized privilege escalation attempts by local users.
- **Detection methods and tools:**
- Audit system logs for `pam_namespace` errors or `assert()` failures.
- Use vulnerability scanners to identify RUGGEDCOM devices running firmware versions prior to v2.17.1.
## References
- **Vendor Advisory:** hxxps://cert-portal[.]siemens[.]com/productcert/pdf/ssa-577017[.]pdf
- **Siemens ProductCERT:** hxxps://www[.]siemens[.]com/cert/advisories