Today the DHS ICS-CERT published an advisory for the Siemens RuggedCom operating system (ROS). The improper input validation vulnerability upon which this advisory is based was reported to Siemens by Aivar Liimets from Martem Telecontrol Systems. Siemens has produced a product upgrade that mitigates this vulnerability in most affected systems, but there is no indication in this Advisory or the one from the Siemens ProductCert that Liimets has verified the efficacy of the update.
ICS-CERT reports that a relatively unskilled attacker could exploit this vulnerability to conduct a denial of service attack on the device. Such a DoS attack would not affect the switching functions of the device according to both advisories. The attacker would need to have network access to the device.
Siemens is still in the process of developing an upgrade for v4.0 of the ROS, but upgrading most earlier version to v3.11.5 will mitigate the vulnerability according to Siemens. When the v4.0 upgrade is available, Siemens will update their internal advisory and presumably ICS-CERT will update the one issued today.
Another Advisory Update from Siemens
I said ‘presumably’ for the ICS-CERT update in the last paragraph because they have not provided an update to their previous Siemens ROS advisory that Siemens updated today. The Siemens update added a new mitigation for the v3.11 devices (the same upgrade discussed above) and updated the support contact information.