*Informations to US CERT: * *The product; * "The RUGGEDCOM RS900 is a 9-port utility-grade, fully managed Ethernet switch, specifically designed to operate reliably in electrically harsh and climatically demanding environments." Source: http://w3.siemens.com/mcms/industrial-communication/en/rugged-communication/ruggedcom-portfolio/switches-routers-layer-2/compact-switches/Pages/rs900.aspx *Devices affected:* RUGGEDCOM RS900 (however, other models of RUGGEDCOM switches may be affected as well) *Firmware/configuration affected:* RS900 Order Code RS900-HI-D-MT-MT-MT-XX Boot version v3.0.2 Main version 4.2.1 Required Boot 2.20.0 Hardware ID RS900 (v2, 40-00-0066) *Vulnerability type: Denial of Service.* Successful exploiting this vulnerability are very simple - by sending a limited numbers of ICMP packages does the CPU max to 65% load and stop responding during the attack. *Exploit details* Using Hping3 (http://packages.ubuntu.com/precise/net/hping3) - a freely available open source command-line oriented TCP/IP packet assembler/analyzer, it is quite trivial to exploit. In this example, the router have IP: 192.168.0.1 mikael@Scadascan hping3 -1 -C 3 -K 3 -i u100 192.168.0.1 Via a serial connection to the router diagnostic page, it can be seen that the router CPU max up to 65% and stop responding to e.g. a running ping command. *Overall CVSS Score:* 7.5 (Version3) CVSS Vector CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H **Mitigation/workaround;* None know at the moment. *EXPLOITABILITY* These vulnerabilities could be exploited remotely. *EXISTENCE OF EXPLOIT* No known public exploits specifically target these vulnerabilities. *DIFFICULTY* An attacker with a low skill would be able to exploit these vulnerabilities. *Credits:* This vulnerability was found by Carsten Borup Andersen and Mikael Vingaard, based on the work of the other researchers, who found the Black Nurse vulnerability. For details pls see www.blacknurse.dk _______ *Answer from Siemens (US-CERT) CSOC* --- Begin results from Siemens --- In my discussions with the product team, for now, we couldn't identify a security issue with the reported behavior. We test our ROS devices for DoS robustness and as long as the devices recover (without reboot) to normal operation following a DoS attack, the behavior is as expected and we do not see a security vulnerability. If the researchers plan to continue with their testing and observe that the device under attack does not recover after a load test or any other potential security issue, we continue to being interested in reports. Thank you Mikael, Carsten, and ICS-CERT for your collaboration on this topic and please let us know in case of any remaining questions or concerns.