Full Report
The SSH server on RUGGEDCOM ROS devices is configured to offer weak ciphers by default. This could allow an unauthorized attacker in a man-in-the-middle position to read and modify any data passed over the connection between legitimate clients and the affected device. Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Weak SSH Ciphers in RUGGEDCOM ROS
## CVE Details
- CVE ID: CVE-2021-37209
- CVSS Score: 6.7 (Medium)
- CWE: CWE-326: Inadequate Encryption Strength (Implied by reliance on weak ciphers)
## Affected Systems
- Products: RUGGEDCOM ROS devices, including specific models like i800, i801, i802, i803, M2100, M2200, M969, RMC30, RMC8388 V4.X, RS416v2 V4.X, RS416Pv2 V4.X, RSG2100P (32M) V4.x and V5.x.
- Versions: RUGGEDCOM ROS V4.X family, specifically all versions **< V4.3.8** for the listed models leveraging V4.X firmware. (The advisory also mentions V5.X versions generally, but the primary concrete fix version cited is V4.3.8 relevant to V4.X affected products.)
- Configurations: Default configuration of the SSH server offering weak ciphers.
## Vulnerability Description
The SSH server on affected RUGGEDCOM ROS devices is configured by default to utilize weak cryptographic ciphers. This weakness permits an unauthorized remote attacker positioned in a Man-in-the-Middle (MITM) location to intercept the SSH traffic. Successfully exploiting this configuration weakness allows the attacker to potentially read sensitive data (Confidentiality impact) and alter the transmitted data (Integrity impact) between legitimate clients and the device.
## Exploitation
- Status: Exploitability information suggests this is a known issue, though the advisory mentions an exploitability parameter E:P (Proof-of-concept existence), we do not have confirmation of widespread exploitation in the wild based solely on this summary.
- Complexity: Medium (CVSS vector indicates AC:H - Attack Complexity High, balanced by other factors) and AV:A (Attack Vector Adjacent, implying network access is required to be adjacent to the target network segment). The MITM positioning requires network access.
- Attack Vector: Adjacent Network (AV:A)
## Impact
- Confidentiality: Low (C:L) - Data can be read.
- Integrity: High (I:H) - Data can be modified.
- Availability: High (A:H) - Connection availability may be impacted through modification attacks.
## Remediation
### Patches
- **For RUGGEDCOM ROS V4.X family affected products (e.g., i800, i801, M2100, etc.):** Update to **V4.3.8 or later version**.
- Specific patch references provided by Siemens: [https://support.industry.siemens.com/cs/ww/en/view/109816735/](https://support.industry.siemens.com/cs/ww/en/view/109816735/) (Note: The advisory indicates specific fixes were released for V5.X as well, reference the latest advisory for comprehensive version details.)
### Workarounds
The advisory recommends consulting the "Workarounds and Mitigations" section of the full advisory for further actions if immediate patching is not possible. (Specific details of workarounds are excluded as they were not present in the provided text context but should be sought from the vendor.)
## Detection
- Indicators of compromise (IoCs): Not explicitly detailed, though monitoring the SSH sessions for unexpected connection behavior or evidence of downgrading to weak ciphers could be indicative.
- Detection methods and tools: Network monitoring tools capable of deep packet inspection may reveal the use of weak/outdated SSH ciphers during session establishment (key exchange/negotiation phase).
## References
- Vendor Advisory: SSA-764417
- Siemens ProductCERT Advisories: hxxps://www.siemens.com/cert/advisories
- Patch/Download Link (General Reference): hxxps://support.industry.siemens.com/cs/ww/en/view/109816735/