Full Report
RUGGEDCOM CROSSBOW Station Access Controller (SAC) contains multiple vulnerabilities in the integrated SQLite component that could allow an attacker to execute arbitrary code or to create a denial of service condition. Siemens has released a new version for RUGGEDCOM CROSSBOW Station Access Controller (SAC) and recommends to update to the latest version.
Analysis Summary
# Vulnerability: Multiple SQLite Component Flaws in RUGGEDCOM CROSSBOW SAC Leading to Code Execution or DoS
## CVE Details
- CVE ID: CVE-2025-3277, CVE-2025-29087, CVE-2025-29088
- CVSS Score: 8.3 (CVE-2025-3277) / 5.5 (CVE-2025-29087) / 7.5 (CVE-2025-29088) (Based on CVSS v3.1 scores provided)
- CWE: CWE-122 (Heap-based Buffer Overflow), CWE-190 (Integer Overflow or Wraparound)
## Affected Systems
- Products: RUGGEDCOM CROSSBOW Station Access Controller (SAC)
- Versions: All versions earlier than V5.7
- Configurations: Affected by vulnerabilities residing in the integrated SQLite component.
## Vulnerability Description
The RUGGEDCOM CROSSBOW SAC embeds a vulnerable SQLite component susceptible to multiple flaws:
1. **CVE-2025-3277 (High Severity):** An integer overflow occurs in the SQLite `concat_ws()` function when processing truncated integer results used for buffer allocation. This leads to a wild Heap Buffer Overflow of up to 4GB, potentially resulting in **Arbitrary Code Execution**.
2. **CVE-2025-29087:** The `concat_ws()` SQL function can cause memory writes beyond the allocated buffer if the separator argument is attacker-controlled and large (e.g., 2MB+), due to an integer overflow during buffer size calculation, leading to buffer boundary violation.
3. **CVE-2025-29088:** A specific flaw within the `SQLITE_DBCONFIG_LOOKASIDE` component of SQLite allows an attacker to cause a **Denial of Service (DoS)** condition.
## Exploitation
- **Status:** Information not explicitly provided regarding exploitation status in the wild, but PoC potential exists given the nature of buffer overflows and integer overflows.
- **Complexity:** Low to Medium (for CVE-2025-3277, remote code execution via network attack vector suggests lower complexity for initial exploit).
- **Attack Vector:** Network (AV:N indicated for high-severity CVEs).
## Impact
| Metric | Impact Level (Primarily driven by CVE-2025-3277) |
| :--- | :--- |
| Confidentiality | Low (C:L) |
| Integrity | Low (I:L) |
| Availability | High (A:H - due to DoS potential from CVE-2025-29088, and potential code execution disabling device) |
## Remediation
### Patches
- **Update to Version V5.7 or later** for the RUGGEDCOM CROSSBOW Station Access Controller (SAC).
- Vendor Patch Link Guidance: https://support.industry.siemens.com/cs/ww/en/view/109989951/
### Workarounds
- Siemens recommends following **General Security Recommendations**, including protecting network access to devices with appropriate mechanisms and configuring the environment according to Siemens' operational guidelines for Industrial Security. (Specific technical workarounds not detailed in the summary).
## Detection
- **Indicators of Compromise (IoC):** Any abnormal behavior originating from the SAC related to database interactions or unexpected process execution.
- **Detection Methods and Tools:** Network monitoring for suspicious communication patterns targeting the SAC's database/input handling interfaces. Configuration review to ensure the device is running the patched version V5.7+.
## References
- Siemens Advisory SSA-994087
- Vendor Advisory Link (Primary Source): hxxps://cert-portal.siemens.com/productcert/html/ssa-994087.html
- Siemens Industrial Security General Information: hxxps://www.siemens.com/industrialsecurity