Today the DHS ICS-CERT published an advisory for the Siemens
RuggedCom operating system (ROS). The improper input validation vulnerability upon
which this advisory is based was reported to Siemens by Aivar Liimets from
Martem Telecontrol Systems. Siemens has produced a product upgrade that
mitigates this vulnerability in most affected systems, but there is no
indication in this
Advisory or the one from
the Siemens ProductCert that Liimets has verified the efficacy of the
update.
The Vulnerability
ICS-CERT reports that a relatively unskilled attacker could
exploit this vulnerability to conduct a denial of service attack on the device.
Such a DoS attack would not affect the switching functions of the device
according to both advisories. The attacker would need to have network access to
the device.
Siemens is still in the process of developing an upgrade for
v4.0 of the ROS, but upgrading most earlier version to v3.11.5 will mitigate
the vulnerability according to Siemens. When the v4.0 upgrade is available,
Siemens will update their internal advisory and presumably ICS-CERT will update
the one issued today.
Another Advisory
Update from Siemens
I said ‘presumably’ for the ICS-CERT update in the last
paragraph because they have not provided an update to their previous
Siemens ROS advisory that Siemens
updated today. The Siemens update added a new mitigation for the v3.11 devices
(the same upgrade discussed above) and updated the support contact information.
Posts
No comments:
Post a Comment