Full Report
A vulnerability was identified in RUGGEDCOM ROS devices with mirror port enabled, that could allow an attacker to inject information into the network via the mirror port. Siemens has released new versions for several affected products and recommends to update to the latest versions. Siemens recommends specific countermeasures for products where fixes are not, or not yet available.
Analysis Summary
# Vulnerability: Mirror Port Isolation Vulnerability in RUGGEDCOM ROS Devices
## CVE Details
- **CVE ID:** CVE-2023-24845
- **CVSS Score:** 9.1 (Critical)
- **CWE:** CWE-684: Incorrect Provision of Specified Functionality
## Affected Systems
- **Products:** Siemens RUGGEDCOM ROS-based switches and devices.
- **Versions:**
- RUGGEDCOM i800, i800NC, i801NC, i802NC, i803NC, M2100NC: All versions < V4.3.8
- RUGGEDCOM ROS V4.X family (including RS416 derivatives, RSG2100P)
- RUGGEDCOM ROS V5.X family
- RUGGEDCOM M969F, M2100F, M2200F: All versions
- **Configurations:** Devices where the **Mirror Port** functionality is enabled.
- **Note:** RS900 series devices using the **M88E6083 chip** cannot be patched due to hardware limitations.
## Vulnerability Description
The affected products suffer from a failure to properly isolate data traffic on the mirror port. Ideally, a mirror port (or SPAN port) should be "receive-only" for the monitoring device, or at least prevent traffic from the monitoring tool from being injected back into the production network. In this case, the device insufficiently blocks data from being forwarded from the mirror port into the mirrored network. This allows an attacker positioned at the mirror port to bypass standard network pathing and inject malicious packets directly into the monitored segment.
## Exploitation
- **Status:** PoC available (CVSS Exploit Code Maturity: Functional/Proven). No confirmed reports of exploitation in the wild at the time of the advisory update.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Potential for traffic redirection or interception)
- **Integrity:** None (Per CVSS vector `I:N`, though the description suggests possible influence on runtime behavior)
- **Availability:** High (Injection of traffic can disrupt services or influence system runtime)
## Remediation
### Patches
Siemens recommends updating to the following versions:
- **RUGGEDCOM i800/NC Series:** Update to V4.3.8 or later.
- **RUGGEDCOM ROS V4.X products:** Update to V4.3.8 or later (where available).
- **RUGGEDCOM ROS V5.X products:** Update to V5.7.2 or later.
### Workarounds
For products where no fix is planned (M969F, M2100F, M2200F) or for RS900 devices with the M88E6083 chip:
- **Disable Mirror Ports:** Only enable the port mirroring feature when actively troubleshooting.
- **Physical Security:** Restrict physical access to the device and the ports used for mirroring.
- **Network Segmentation:** Ensure the monitoring device connected to the mirror port is trusted and secured.
## Detection
- **Device Identification:** For RS900 devices, users must enter "Factory Mode" via the interactive shell and run `m88e6 globals` to check for the **M88E6083** chip identifier to determine patch compatibility.
- **Traffic Analysis:** Monitor for unexpected inbound traffic originating from the MAC/IP addresses associated with monitoring tools connected to mirror ports.
## References
- **Siemens Security Advisory:** [https://cert-portal.siemens.com/productcert/pdf/ssa-908185.pdf](https://cert-portal.siemens.com/productcert/pdf/ssa-908185.pdf)
- **Siemens Support Portal:** [https://support.industry.siemens.com/cs/ww/en/view/109816735/](https://support.industry.siemens.com/cs/ww/en/view/109816735/)
- **Siemens ProductCERT:** [https://www.siemens.com/cert/advisories](https://www.siemens.com/cert/advisories)