Today the DHS ICS-CERT published an advisory for an IP forwarding vulnerability in older versions of the Siemens RUGGEDCOM switches. ICS-CERT reports that Stephen Craven of the Tennessee Valley Authority reported this vulnerability. Siemens reports that newer versions of the operating system for those switches allows for disabling of the IP forwarding function.
ICS-CERT reports that a moderately skilled attacker could remotely exploit this vulnerability if more than one VLAN were configured on the system.
It appears from the ICS-CERT advisory and the Siemens Advisory that this IP forwarding is not actually a vulnerability, but something designed into the system that could be a problem under some circumstances. The wording of both documents implies that the IP forwarding feature is a default feature on the newer systems. This would mean that using multiple virtual local area networks to segment the control system access could be bypassed by compromising an element of one of the VLANs if IP forwarding were enabled on the system. Seems like something that should be disabled by default and enabled only if needed.
BTW: Siemens does not credit Craven for the discovery for the vulnerability; rather it simply acknowledges “the Industrial Control Systems Cyber Emergency Response Team
(ICS-CERT) for their support and coordination efforts”.