CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:N/A:N
EPSS
Percentile
41.8%
This Updated Advisory is a follow-up to the original advisory titled ICSA-12-354-01 RuggedCom ROS Hard-Coded RSA SSL Private Key that was published December 18, 2012, on the ICS-CERT Web page, as a follow-up to the original ICS-CERT alert ICS-ALERT-12-234-01 RuggedCom ROS Key Management Errors, which was released to the Web page on August 30, 2012.
Independent researcher Justin W. Clarke of Cylance Inc., has identified the use of hard-coded RSA SSL private key in RuggedCom’s Rugged Operating System (ROS). RuggedCom, an independent subsidiary of Siemens, has produced a new version of the ROS that mitigates this vulnerability.
This vulnerability could be exploited remotely. Exploits that target this vulnerability are publicly available.
The following RuggedCom productsRuggedCom Website, http://www.ruggedcom.com/productbulletin/ros-security-page/. Web site last accessed April 29, 2013.,Siemens Security Advisory, https://www.siemens.com/corporate-technology/pool/de/forschungsfelder/siemens_security_advisory_ssa-622607.pdf. Web site last accessed April 29, 2013. are affected:
The impact of exploiting this vulnerability will give an attacker the private SSL key for secure communications between client/user and a RuggedCom switch. The attacker can use the key to decrypt management traffic and create malicious communication to the RuggedCom network device.
This vulnerability has no impact on encrypted data traffic passing through RuggedCom ROS, ROX, or RuggedMax BS devices.
Impact to individual organizations depends on many factors that are unique to each organization. ICS‑CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.
RuggedCom, a Siemens Business, is a Canadian-based company with sales and distribution in over 25 countries around the world.
The affected product, Rugged Operating System (ROS) is the software operating system for RuggedSwitch and RuggedServer product families. ROS based devices are often deployed in critical infrastructure projects such as electrical substations, intelligent transportation systems, and rail wayside control.
RuggedCom/Siemens estimates that these products are used primarily in Canada, United States, Mexico, China, and Europe.
Using publicly available software, the private SSL key can be extracted from the ROS binary file. This key can allow an attacker to establish a secure communication link with RuggedCom network devices and manipulate settings that would result in a denial-of-service condition.
CVE-2012-4698NVD, http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4698. NIST uses this advisory to create the CVE Web site report. This Web site will be active sometime after publication of this advisory has been assigned to this vulnerability. A CVSS v2 base score of 9.3 has been assigned; the CVSS vector string is (AV:N/AC:M/Au:N/C:C/I:C/A:C).
This vulnerability could be exploited remotely.
Exploits that target this vulnerability are publicly available.
An attacker with a moderate skill would be able to exploit this vulnerability.
ROS Update v3.12 has been produced to mitigate these issues and can be obtained from the RuggedCom Customer Support Team. Full information can be found at this link: <http://www.ruggedcom.com/productbulletin/ros-security-page/>.
ROX device customers are strongly encouraged to change their SSL and SSH keys. Application notes exist that explain how to change the SSL and SSH keys. Please consult App Note AN17 for ROX1.x versions of the firmware and App Note AN16 for ROX 2.x. These application notes can be obtained from RuggedCom’s Customer Support Team.
For RuggedMax SSH service, the customer has the capability to generate new keys. Each device (subscriber or base station) can be triggered to generate a new SSH key by deleting the current key. Customers are strongly encouraged to generate new keys. A procedure on how to generate a new SSH key can be obtained from RuggedCom Customer Support Team.
For the HTTPS access, a temporary solution exists with the current version of firmware to disable HTTPS access. For details on this procedure please contact the RuggedCom Customer Support Team.
Siemens recommendations the following mitigation strategies when deploying RuggedCom devices:
ICS‑CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.
ICS-CERT also provides a section for control systems security recommended practices on the ICS-CERT Web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. ICS‑CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.
Additional mitigation guidance and recommended practices are publicly available in the ICS‑CERT Technical Information Paper, ICS-TIP-12-146-01B—Targeted Cyber Intrusion Detection and Mitigation Strategies, that is available for download from the ICS-CERT Web page (www.ics-cert.org).
Organizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS‑CERT for tracking and correlation against other incidents.
nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:M/Au:N/C:C/I:C/A:C
www.ics-cert.org
www.ruggedcom.com/productbulletin/ros-security-page/
cisasurvey.gov1.qualtrics.com/jfe/form/SV_9n4TtB8uttUPaM6?product=https://www.cisa.gov/news-events/ics-advisories/icsa-12-354-01a
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Ruggedcom%20ROS%20Hard-Coded%20RSA%20SSL%20Private%20Key%20%28Update%20A%29+https://www.cisa.gov/news-events/ics-advisories/icsa-12-354-01a
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-12-354-01a&title=Ruggedcom%20ROS%20Hard-Coded%20RSA%20SSL%20Private%20Key%20%28Update%20A%29
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-12-354-01a
www.oig.dhs.gov/
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Ruggedcom%20ROS%20Hard-Coded%20RSA%20SSL%20Private%20Key%20%28Update%20A%29&body=www.cisa.gov/news-events/ics-advisories/icsa-12-354-01a