search menu icon-carat-right cmu-wordmark

CERT Coordination Center

RuggedCom Rugged Operating System (ROS) contains hard-coded user account with predictable password

Vulnerability Note VU#889195

Original Release Date: 2012-04-24 | Last Revised: 2012-07-18

Overview

RuggedCom Rugged Operating System (ROS) contains a hard-coded user account with a predictable password.

Description

RuggedCom Rugged Operating System (ROS), used in RuggedCom network infrastructure devices, contains a hard-coded user account named "factory" that cannot be disabled. The password for this account is based on the device's MAC address and can be reverse engineered easily (CWE-261: Weak Cryptography for Passwords).

ROS also supports HTTP(S) and ssh services. In ROS 3.3.x, these services do not use the factory account. ROS does not appear to log successful or unsuccessful login attempts for the factory account.

More information is available in "Undocumented Backdoor Access to RuggedCom Devices" and RuggedCom's security bulletin.

Impact

An attacker with knowledge of an ROS device's MAC address may be able to gain complete administrative control of the device. The MAC address is displayed in the pre-authentication banner.

Solution

According to RuggedCom's security bulletin, "Version 3.10.1 of the ROS® firmware with security related fixes will be released on Tuesday May 22, 2012 and can be obtained by emailing support@ruggedcom.com. Other ROS® firmware versions containing the same security fixes (3.9.3, 3.8.5, 3.7.9 & 3.11.0) will be released over the next few weeks on a staggered basis as development and testing is completed."

ICS-CERT Advisory ICSA-12-146-01A confirms that ROS version 3.10.1 is no longer affected, and that versions 3.9.3, 3.8.5, and 3.7.9 are now available.

Workarounds

ROS 3.3.x allows users to disable the rsh service and set the number of allowed telnet connections to 0. ROS 3.2.x does not alllow the rsh or telnet services to be disabled.

Vendor Information

889195
 
Affected   Unknown   Unaffected

RuggedCom

Notified:  February 10, 2012 Updated:  July 18, 2012

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

RuggedCom advises ROS 3.3.x users to disable the rsh service and set the number of allowed telnet connections to 0. This vulnerability is addressed in ROS versions 3.10.1, 3.9.3, 3.8.5, and 3.7.9.

Vendor References

Siemens

Updated:  April 24, 2012

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

RuggedCom was acquired by Siemens in March 2012.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C
Temporal 7.3 E:POC/RL:W/RC:C
Environmental 1.8 CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

Acknowledgements

Thanks to Justin W. Clarke, an independent security researcher in San Francisco, California, for reporting this vulnerability. Thanks also to ICS-CERT for testing and additional coordination with RuggedCom.

This document was written by Michael Orlando and Art Manion.

Other Information

CVE IDs: CVE-2012-1803
Date Public: 2012-04-23
Date First Published: 2012-04-24
Date Last Updated: 2012-07-18 20:09 UTC
Document Revision: 66

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.