This afternoon the DHS ICS-CERT published an advisory for a pair of self-reported vulnerabilities in the RuggedCom devices with ROS firmware. Siemens reported the vulnerabilities today as well as announcing the availability of a firmware update that mitigates the vulnerabilities.
ICS-CERT describes the vulnerabilities as:
• Use of insufficiently random values, CVE-2013-6925; and
• Authentication bypass issues, CVE-2013-6926
NOTE: The CVE links are not yet active.
ICS-CERT reports that a relatively unskilled attacker could remotely exploit these vulnerabilities to be able to perform limited administrative operations over the network. Siemens notes that an attacker must have network access (port 443/tcp) to the affected devices for both vulnerabilities.
BTW: Siemens ProductCERT also published another industrial control system advisory today for a privilege escalation vulnerability in the COMOS engineering solution. Siemens has patches available for the affected versions of COMOS. There is no indication of why ICS-CERT does not have a similar advisory published.