Friday the folks at ICS-CERT published an advisory updating the vulnerability information for RuggedSwitch and RuggedServer that were identified last month. They also published a technical information paper covering mitigation strategies for dealing with identified or suspected cyber intrusions.
This Advisory is actually the second ICS-CERT follow-up to the initial alert on this vulnerability; there was an amended alert issued two days after the initial alert noting that RuggedCom would be issuing a firmware update within the month. This Advisory confirms that the firmware update was made available and ICS-CERT has confirmed that it effectively mitigates the vulnerability.
Actually that’s an overstatement of facts as a closer reading of the Advisory makes clear. The firmware update provided only applies to ROS 3.10.1. Updates for other versions will be released ‘in the next few weeks on a staggered basis’. The reason is that each version requires its own variations to be developed, tested and verified. While this may be initially confusing (especially for system owners that have equipment with different versions of the ROS in their various pieces of RuggedCom equipment) it does insure that the updated firmware gets into the field as quickly as possible.
RuggedCom will publish a new product bulletin for each of the updates as they are made available. It is not clear if ICS-CERT will update this advisory each time a new ROS version is updated. I suspect that they probably will.
Apparently RuggedCom is not planning on providing firmware updates to ROS versions earlier than 3.7. They are urging customers to upgrade products with older versions. ICS-CERT notes that RuggedCom has indicated a willingness to work with customers that are unable to make such upgrades.
Updating firmware has its own special challenges in installed equipment. To make matters more interesting in this case is the apparent fact that the update changes the way that the RuggedCom equipment will now handle recovery of administrative passwords. The ICS-CERT Advisory provides this information:
“These new versions of the ROS firmware remove the factory account and the associated security vulnerability. Customers using these new versions of the firmware should take special care not to lose the user defined password to a device’s administrative account as recovering from a lost administrative password will now require physical access to the device to reset the passwords.”
On a purely editorial note, it appears that ICS-CERT is providing a little more credit for the initiators of uncoordinated disclosures. This Advisory provides a link to the Justin Clark public disclosure of the vulnerability in these systems. In my opinion this is long overdue as a minimum standard of the acknowledgement of the intellectual property of the researcher involved.
Cyber Intrusion Mitigation
Friday also saw the publication of one of ICS-CERT’s infrequent tip sheets. According to the introduction this 8-page document provides “ high-level strategies that should can improve overall visibility of a cyber intrusion and aid in recovery efforts should an incident occur” (pg 1). While it is not stated anywhere in the document, I would assume that this is at least partially in response to the phishing attacks on US gas companies that were reported earlier this month.
The document addresses:
• Preserving forensic data;
• Detection and mitigation activities, including:
∙ Intrusion detection / preventing lateral network movement;
∙ Credential management;
∙ Increased logging capabilities;
∙ DNS logging with host level granularity; and
∙ Auditing network hosts for suspicious files;
• What to do with an infected host;
• Longer-term recommendations, including:
∙ Strict role-based access control;
∙ Network segmentation;
∙ Application whitelisting, and;
∙ Phishing prevention.
As one would expect, there is nothing really new here, but it is a nice summary of the multiple levels of cyber protection that need to be employed to help reduce the effectiveness and impact of a targeted cyber-attack.