Siemens RUGGEDCOM ROS Buffer Copy Without Checking Size of Input (CVE-2021-31895)

critical Tenable OT Security Plugin ID 501633

Synopsis

The remote OT asset is affected by a vulnerability.

Description

A vulnerability has been identified in RUGGEDCOM ROS M2100 (All versions < V4.3.7), RUGGEDCOM ROS M2200 (All versions < V4.3.7), RUGGEDCOM ROS M969 (All versions < V4.3.7), RUGGEDCOM ROS RMC (All versions < V4.3.7), RUGGEDCOM ROS RMC20 (All versions < V4.3.7), RUGGEDCOM ROS RMC30 (All versions < V4.3.7), RUGGEDCOM ROS RMC40 (All versions < V4.3.7), RUGGEDCOM ROS RMC41 (All versions < V4.3.7), RUGGEDCOM ROS RMC8388 V4.X (All versions < V4.3.7), RUGGEDCOM ROS RMC8388 V5.X (All versions < V5.5.4), RUGGEDCOM ROS RP110 (All versions < V4.3.7), RUGGEDCOM ROS RS400 (All versions < V4.3.7), RUGGEDCOM ROS RS401 (All versions < V4.3.7), RUGGEDCOM ROS RS416 (All versions < V4.3.7), RUGGEDCOM ROS RS416v2 V4.X (All versions < V4.3.7), RUGGEDCOM ROS RS416v2 V5.X (All versions < 5.5.4), RUGGEDCOM ROS RS8000 (All versions < V4.3.7), RUGGEDCOM ROS RS8000A (All versions < V4.3.7), RUGGEDCOM ROS RS8000H (All versions < V4.3.7), RUGGEDCOM ROS RS8000T (All versions < V4.3.7), RUGGEDCOM ROS RS900 (32M) V4.X (All versions < V4.3.7), RUGGEDCOM ROS RS900 (32M) V5.X (All versions < V5.5.4), RUGGEDCOM ROS RS900G (All versions < V4.3.7), RUGGEDCOM ROS RS900G (32M) V4.X (All versions < V4.3.7), RUGGEDCOM ROS RS900G (32M) V5.X (All versions < V5.5.4), RUGGEDCOM ROS RS900GP (All versions < V4.3.7), RUGGEDCOM ROS RS900L (All versions < V4.3.7), RUGGEDCOM ROS RS900W (All versions < V4.3.7), RUGGEDCOM ROS RS910 (All versions < V4.3.7), RUGGEDCOM ROS RS910L (All versions < V4.3.7), RUGGEDCOM ROS RS910W (All versions < V4.3.7), RUGGEDCOM ROS RS920L (All versions < V4.3.7), RUGGEDCOM ROS RS920W (All versions < V4.3.7), RUGGEDCOM ROS RS930L (All versions < V4.3.7), RUGGEDCOM ROS RS930W (All versions < V4.3.7), RUGGEDCOM ROS RS940G (All versions < V4.3.7), RUGGEDCOM ROS RS969 (All versions < V4.3.7), RUGGEDCOM ROS RSG2100 (32M) V4.X (All versions < V4.3.7), RUGGEDCOM ROS RSG2100 (32M) V5.X (All versions < V5.5.4), RUGGEDCOM ROS RSG2100 V4.X (All versions < V4.3.7), RUGGEDCOM ROS RSG2100P (All versions < V4.3.7), RUGGEDCOM ROS RSG2100P (32M) V4.X (All versions < V4.3.7), RUGGEDCOM ROS RSG2100P (32M) V5.X (All versions < V5.5.4), RUGGEDCOM ROS RSG2200 (All versions < V4.3.7), RUGGEDCOM ROS RSG2288 V4.X (All versions < V4.3.7), RUGGEDCOM ROS RSG2288 V5.X (All versions < V5.5.4), RUGGEDCOM ROS RSG2300 V4.X (All versions < V4.3.7), RUGGEDCOM ROS RSG2300 V5.X (All versions < V5.5.4), RUGGEDCOM ROS RSG2300P V4.X (All versions < V4.3.7), RUGGEDCOM ROS RSG2300P V5.X (All versions < V5.5.4), RUGGEDCOM ROS RSG2488 V4.X (All versions < V4.3.7), RUGGEDCOM ROS RSG2488 V5.X (All versions < V5.5.4), RUGGEDCOM ROS RSG900 V4.X (All versions < V4.3.7), RUGGEDCOM ROS RSG900 V5.X (All versions < V5.5.4), RUGGEDCOM ROS RSG900C (All versions < V5.5.4), RUGGEDCOM ROS RSG900G V4.X (All versions < V4.3.7), RUGGEDCOM ROS RSG900G V5.X (All versions < V5.5.4), RUGGEDCOM ROS RSG900R (All versions < V5.5.4), RUGGEDCOM ROS RSG920P V4.X (All versions < V4.3.7), RUGGEDCOM ROS RSG920P V5.X (All versions < V5.5.4), RUGGEDCOM ROS RSL910 (All versions < V5.5.4), RUGGEDCOM ROS RST2228 (All versions < V5.5.4), RUGGEDCOM ROS RST916C (All versions < V5.5.4), RUGGEDCOM ROS RST916P (All versions < V5.5.4), RUGGEDCOM ROS i800 (All versions < V4.3.7), RUGGEDCOM ROS i801 (All versions < V4.3.7), RUGGEDCOM ROS i802 (All versions < V4.3.7), RUGGEDCOM ROS i803 (All versions < V4.3.7). The DHCP client in affected devices fails to properly sanitize incoming DHCP packets.
This could allow an unauthenticated remote attacker to cause memory to be overwritten, potentially allowing remote code execution.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at CISA.gov.

Siemens recommends applying updates where applicable:

- RUGGEDCOM ROS i800: Update to v4.3.7 or later
- RUGGEDCOM ROS i801: Update to v4.3.7 or later
- RUGGEDCOM ROS i802: Update to v4.3.7 or later
- RUGGEDCOM ROS i803: Update to v4.3.7 or later
- RUGGEDCOM ROS M969: Update to v4.3.7 or later
- RUGGEDCOM ROS M2100: Update to v4.3.7 or later
- RUGGEDCOM ROS M2200: Update to v4.3.7 or later
- RUGGEDCOM ROS RMC: Update to v4.3.7 or later
- RUGGEDCOM ROS RMC20: Update to v4.3.7 or later
- RUGGEDCOM ROS RMC30: Update to v4.3.7 or later
- RUGGEDCOM ROS RMC40: Update to v4.3.7 or later
- RUGGEDCOM ROS RMC41: Update to v4.3.7 or later
- RUGGEDCOM ROS RMC8388 V4.X: Update to v4.3.7 or later
- RUGGEDCOM ROS RMC8388 V5.X: Update to v5.5.4 or later
- RUGGEDCOM ROS RP110: Update to v4.3.7 or later
- RUGGEDCOM ROS RS400: Update to v4.3.7 or later
- RUGGEDCOM ROS RS401: Update to v4.3.7 or later
- RUGGEDCOM ROS RS416: Update to v4.3.7 or later
- RUGGEDCOM ROS RS416V2 V4.X: Update to v4.3.7 or later
- RUGGEDCOM ROS RS416V2 V5.X: Update to v5.5.4 or later
- RUGGEDCOM ROS RS900 (32M) V4.X: Update to v4.3.7 or later
- RUGGEDCOM ROS RS900 (32M) V5.X: Update to v5.5.4 or later
- RUGGEDCOM ROS RS900G: Update to v4.3.7 or later
- RUGGEDCOM ROS RS900G (32M) V4.X: Update to v4.3.7 or later
- RUGGEDCOM ROS RS900G (32M) V5.X: Update to v5.5.4 or later
- RUGGEDCOM ROS RS900GP: Update to v4.3.7 or later
- RUGGEDCOM ROS RS900L: Update to v4.3.7 or later
- RUGGEDCOM ROS PS900W: Update to v4.3.7 or later
- RUGGEDCOM ROS RS910: Update to v4.3.7 or later
- RUGGEDCOM ROS RS910L: Update to v4.3.7 or later
- RUGGEDCOM ROS RS910W: Update to v4.3.7 or later
- RUGGEDCOM ROS RS920L: Update to v4.3.7 or later
- RUGGEDCOM ROS RS920W: Update to v4.3.7 or later
- RUGGEDCOM ROS RS930L: Update to v4.3.7 or later
- RUGGEDCOM ROS RS930W: Update to v4.3.7 or later
- RUGGEDCOM ROS RS940G: Update to v4.3.7 or later
- RUGGEDCOM ROS RS969: Update to v4.3.7 or later
- RUGGEDCOM ROS RS8000: Update to v4.3.7 or later
- RUGGEDCOM ROS RS8000A: Update to v4.3.7 or later
- RUGGEDCOM ROS RS8000H: Update to v4.3.7 or later
- RUGGEDCOM ROS RS8000T: Update to v4.3.7 or later
- RUGGEDCOM ROS RSG900 V4.X: Update to v4.3.7 or later
- RUGGEDCOM ROS RSG900 V5.X: Update to v5.5.4 or later
- RUGGEDCOM ROS RSG900C: Update to v5.5.4 or later
- RUGGEDCOM ROS RSG900G V4.X: Update to v4.3.7 or later
- RUGGEDCOM ROS RSG800G V5.X: Update to v5.5.4 or later
- RUGGEDCOM ROS RSG900R: Update to v5.5.4 or later
- RUGGEDCOM ROS RSG920P V4.X: Update to v4.3.7 or later
- RUGGEDCOM ROS RSG920P V5.X: Update to v5.5.4 or later
- RUGGEDCOM ROS RSG2100 (32M) V4.X: Update to v4.3.7 or later
- RUGGEDCOM ROS RSG2100 (32M) V5.X: Update to v5.5.4 or later
- RUGGEDCOM ROS RSG2100 V4.X: Update to v4.3.7 or later
- RUGGEDCOM ROS RSG2100P: Update to v4.3.7 or later
- RUGGEDCOM ROS RSG2100P (32M) V4.X: Update to v4.3.7 or later
- RUGGEDCOM ROS RSG2100P (32M) V5.X: Update to v5.5.4 or later
- RUGGEDCOM ROS RSG2200: Update to v4.3.7 or later
- RUGGEDCOM ROS RSG2288 V4.X: Update to v4.3.7 or later
- RUGGEDCOM ROS RSG2288 V5.X: Update to v5.5.4 or later
- RUGGEDCOM ROS RSG2300 V4.X: Update to v4.3.7 or later
- RUGGEDCOM ROS RSG2300 V5.X: Update to v5.5.4 or later
- RUGGEDCOM ROS RSG2300P V4.X: Update to v4.3.7 or later
- RUGGEDCOM ROS RSG2300P V5.X: Update to v5.5.4 or later
- RUGGEDCOM ROS RSG2488 V4.X: Update to v4.3.7 or later
- RUGGEDCOM ROS RSG2488 V5.X: Update to v5.5.4 or later
- RUGGEDCOM ROS RSL910: Update to v5.5.4 or later
- RUGGEDCOM ROS RST916C: Update to v5.5.4 or later
- RUGGEDCOM ROS RST916P: Update to v5.5.4 or later
- RUGGEDCOM ROS RST2228: Update to v5.5.4 or later

Siemens has identified the following specific workarounds and mitigations users can apply to reduce the risk:

- Enabling DHCP snooping ensures the DHCP client in the affected devices will only accept DHCP requests from trusted DHCP servers
- Disable DHCP and configure a static IP address to the device

As a general security measure, Siemens strongly recommends protecting network access to devices with appropriate mechanisms. In order to operate the devices in a protected IT environment, Siemens recommends configuring the environment according to the Siemens Operational Guidelines for Industrial Security and following the recommendations in the product manuals. For additional information, please refer to Siemens Security Advisory SSA-373591.

See Also

https://cert-portal.siemens.com/productcert/pdf/ssa-373591.pdf

https://www.cisa.gov/news-events/ics-advisories/icsa-21-194-10

Plugin Details

Severity: Critical

ID: 501633

Version: 1.7

Type: remote

Family: Tenable.ot

Published: 9/14/2023

Updated: 9/4/2024

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2021-31895

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:siemens:ruggedcom_ros_i800, cpe:/o:siemens:ruggedcom_ros_i801, cpe:/o:siemens:ruggedcom_ros_i802, cpe:/o:siemens:ruggedcom_ros_i803, cpe:/o:siemens:ruggedcom_ros_m2100, cpe:/o:siemens:ruggedcom_ros_m2200, cpe:/o:siemens:ruggedcom_ros_m969, cpe:/o:siemens:ruggedcom_ros_rmc20, cpe:/o:siemens:ruggedcom_ros_rmc30, cpe:/o:siemens:ruggedcom_ros_rmc40, cpe:/o:siemens:ruggedcom_ros_rmc41, cpe:/o:siemens:ruggedcom_ros_rs400, cpe:/o:siemens:ruggedcom_ros_rs401, cpe:/o:siemens:ruggedcom_ros_rs416, cpe:/o:siemens:ruggedcom_ros_rs8000, cpe:/o:siemens:ruggedcom_ros_rs8000a, cpe:/o:siemens:ruggedcom_ros_rs8000h, cpe:/o:siemens:ruggedcom_ros_rs8000t, cpe:/o:siemens:ruggedcom_ros_rs900gp, cpe:/o:siemens:ruggedcom_ros_rs900l, cpe:/o:siemens:ruggedcom_ros_rs900w, cpe:/o:siemens:ruggedcom_ros_rs910, cpe:/o:siemens:ruggedcom_ros_rs910l, cpe:/o:siemens:ruggedcom_ros_rs910w, cpe:/o:siemens:ruggedcom_ros_rs920l, cpe:/o:siemens:ruggedcom_ros_rs920w, cpe:/o:siemens:ruggedcom_ros_rs930l, cpe:/o:siemens:ruggedcom_ros_rs930w, cpe:/o:siemens:ruggedcom_ros_rs940g, cpe:/o:siemens:ruggedcom_ros_rs969, cpe:/o:siemens:ruggedcom_ros_rsg2200, cpe:/o:siemens:ruggedcom_ros_rsg900c, cpe:/o:siemens:ruggedcom_ros_rsg900r, cpe:/o:siemens:ruggedcom_ros_rst2228, cpe:/o:siemens:ruggedcom_ros_rst916c, cpe:/o:siemens:ruggedcom_ros_rst916p, cpe:/o:siemens:ruggedcom_ros_rmc8388:4, cpe:/o:siemens:ruggedcom_ros_rmc8388:5, cpe:/o:siemens:ruggedcom_ros_rs416v2:4, cpe:/o:siemens:ruggedcom_ros_rs416v2:5, cpe:/o:siemens:ruggedcom_ros_rs900:4, cpe:/o:siemens:ruggedcom_ros_rs900:5, cpe:/o:siemens:ruggedcom_ros_rs900g:4, cpe:/o:siemens:ruggedcom_ros_rs900g:5, cpe:/o:siemens:ruggedcom_ros_rsg2100:4, cpe:/o:siemens:ruggedcom_ros_rsg2100:5, cpe:/o:siemens:ruggedcom_ros_rsg2100p:4, cpe:/o:siemens:ruggedcom_ros_rsg2100p:5, cpe:/o:siemens:ruggedcom_ros_rsg2288:4, cpe:/o:siemens:ruggedcom_ros_rsg2288:5, cpe:/o:siemens:ruggedcom_ros_rsg2300:4, cpe:/o:siemens:ruggedcom_ros_rsg2300:5, cpe:/o:siemens:ruggedcom_ros_rsg2300p:4, cpe:/o:siemens:ruggedcom_ros_rsg2300p:5, cpe:/o:siemens:ruggedcom_ros_rsg2488:4, cpe:/o:siemens:ruggedcom_ros_rsg2488:5, cpe:/o:siemens:ruggedcom_ros_rsg900:4, cpe:/o:siemens:ruggedcom_ros_rsg900:5, cpe:/o:siemens:ruggedcom_ros_rsg900g:4, cpe:/o:siemens:ruggedcom_ros_rsg900g:5, cpe:/o:siemens:ruggedcom_ros_rsg920p:4, cpe:/o:siemens:ruggedcom_ros_rsg920p:5

Required KB Items: Tenable.ot/Siemens

Exploit Ease: No known exploits are available

Patch Publication Date: 7/13/2021

Vulnerability Publication Date: 7/13/2021

Reference Information

CVE: CVE-2021-31895

CWE: 120, 787

ICSA: 21-194-10