Full Report
RUGGEDCOM ROS-based devices are vulnerable to a denial of service attack (Slowloris). By sending partial HTTP requests nonstop, with none completed, the affected web servers will be waiting for the completion of each request, occupying all available HTTP connections. The web server recovers by itself once the attack ends. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens is preparing further fix versions and recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Denial of Service (Slowloris) in Siemens RUGGEDCOM ROS Devices
## CVE Details
- **CVE ID:** CVE-2022-39158
- **CVSS Score:** 5.3 (Medium)
- **CVSS Vector:** `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:P/RL:O/RC:C`
- **CWE:** CWE-400 (Uncontrolled Resource Consumption)
## Affected Systems
- **Products:** RUGGEDCOM ROS-based devices (M-Series, i800-Series, RS-Series, RSG-Series, RSL-Series, RMC-Series).
- **Versions:**
- ROS V4.X family (e.g., i800, RS416v2, RSG2100P)
- ROS V5.X family (e.g., RSG2488, RSG920P, RSL910)
- Various "NC" (No Crypto) variants.
- **Configurations:** Devices with the web server enabled are susceptible to the attack.
## Vulnerability Description
Affected RUGGEDCOM ROS devices improperly handle partial HTTP requests. Under a **Slowloris** attack, a remote attacker sends a continuous stream of incomplete HTTP requests. The web server keeps these connections open, waiting for completion, which eventually exhausts the pool of available HTTP connections. This results in a Denial of Service (DoS) for the web management interface.
The device's core networking functions typically remain operational, and the web server recovers automatically once the attack traffic ceases.
## Exploitation
- **Status:** PoC Available (Proof of Concept); not currently reported as exploited in the wild.
- **Complexity:** Low
- **Attack Vector:** Network
## Impact
- **Confidentiality:** None
- **Integrity:** None
- **Availability:** Low (Temporary loss of web management interface; device typically recovers after attack ends).
## Remediation
### Patches
Siemens recommends updating to the following versions:
- **ROS V4.X Products:** Update to **V4.3.8** or later.
- **ROS V5.X Products:** Update to **V5.6.0** or later.
*Note: For several "NC" (No Crypto) and legacy products (e.g., M969NC, M2200F), no fix is currently planned.*
### Workarounds
- **Disable Web Service:** Disable the HTTP/HTTPS server if management via web is not required.
- **Network Segmentation:** Restrict access to the device's management interface to trusted IP addresses or management VLANs only.
- **Firewall/IPS:** Use an external firewall or Intrusion Prevention System (IPS) capable of detecting and blocking Slowloris-style (low-and-slow) attacks.
## Detection
- **Indicators of Compromise:** Inability to access the web management portal, accompanied by "Connection Refused" or timeout errors, while the underlying industrial processes/routing continue to function.
- **Detection Methods:** Monitor network logs for a high volume of long-lived, incomplete HTTP connections originating from a single source.
## References
- **Vendor Advisory:** hxxps://cert-portal.siemens[.]com/productcert/pdf/ssa-787941.pdf
- **Siemens ProductCERT:** hxxps://www.siemens[.]com/cert/advisories
- **Software Updates:** hxxps://support.industry.siemens[.]com/cs/ww/en/view/109816735/