Full Report
RUGGEDCOM ROS-based devices are vulnerable to a web-based code injection attack. To execute this attack, it is necessary to access the system via the Command Line Interface (CLI). Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Web-Based Code Injection in RUGGEDCOM ROS
## CVE Details
- **CVE ID:** CVE-2022-34663
- **CVSS Score:** 8.0 (High)
- **CWE:** CWE-94: Improper Control of Generation of Code ('Code Injection')
## Affected Systems
- **Products:** Siemens RUGGEDCOM ROS-based devices (Switches and Serial-to-Ethernet devices).
- **Versions:**
- **ROS V4.X Family:** Most versions < V4.3.8 (e.g., i800, i800NC, i801NC, i802NC, i803NC, M2100NC).
- **Legacy/Other Models:** RUGGEDCOM M969F, M2100F, M2200F (All versions).
- **Note:** The advisory also lists V5.X variants for specific models like RS416 and RSG2100P.
- **Configurations:** The vulnerability is triggered through the web interface but requires initial access to the system via the Command Line Interface (CLI).
## Vulnerability Description
Affected devices are susceptible to a web-based code injection attack via the console (CLI). An attacker with CLI access can inject malicious code into the web server. This code is executed when legitimate users access specific web resources on the device, potentially leading to the hijacking of user sessions or execution of malicious actions in the context of the victim's browser.
## Exploitation
- **Status:** Proof of Concept (PoC) available (CVSS Exploit Code Maturity: Functional/Proven).
- **Complexity:** Low
- **Attack Vector:** Network (Note: While categorized as Network, the attack chain requires specific prerequisites involving CLI access followed by a user interacting with the web UI).
## Impact
- **Confidentiality:** High (Potential theft of session tokens or sensitive data).
- **Integrity:** High (Modification of device settings or web content).
- **Availability:** High (Potential to disrupt web management services).
## Remediation
### Patches
Siemens recommends updating to the following versions or later:
- **ROS V4.X Devices:** Update to **V4.3.8** or later.
- Specific update links can be found via the Siemens Industy Online Support: hxxps[://]support[.]industry[.]siemens[.]com/cs/ww/en/view/109816735/
### Workarounds
For devices where no fix is currently planned (e.g., M969F, M2100F, M2200F):
- **Disable Web Interface:** If the web-based management is not required, disable it and use only CLI-based management.
- **Restrict Access:** Use firewalls or ACLs to restrict access to the CLI and web interface to trusted administrative networks only.
- **Session Hygiene:** Ensure administrators log out of the web interface immediately after use and do not browse other sites while managing the device.
## Detection
- **Indicators of Compromise:** Monitor CLI logs for unusual commands or configuration changes related to web server parameters. Check for unauthorized scripts or unexpected behavior in the Web UI.
- **Detection Methods:** Vulnerability scanners updated with Siemens-specific OIDs can identify vulnerable ROS versions.
## References
- **Vendor Advisory:** hxxps[://]cert-portal[.]siemens[.]com/productcert/html/ssa-840800[.]html
- **Siemens ProductCERT:** hxxps[://]www[.]siemens[.]com/cert/advisories