Today the DHS ICS-CERT published a more than slightly delayed alert about a serious vulnerability in various network devices from RuggedCom. The vulnerability was reported (in an attempted coordinated disclosure) by Justin W. Clarke.
Justin reported that:
“An undocumented backdoor account exists within all released versions of RuggedCom's Rugged Operating System (ROS®). The username for the account, which cannot be disabled, is ‘factory’ and its password is dynamically generated based on the device's MAC address.”
The Advisory briefly notes that there was an “an attempted but unsuccessful coordination with the vendor” but there is a more detailed description of the apparent failure of RuggedCom to adequately respond to the disclosure.
Unusual for an alert, ICS-CERT is reporting that RuggedCom has recommended that “customers to disable the rsh (remote shell) service and set the number of Telnet connections allowed to 0”, but ICS-CERT also notes that they have not verified that this resolves the vulnerability issue.