Executive Summary

Summary
Title RuggedCom Rugged Operating System (ROS) contains hard-coded user account with predictable password
Informations
Name VU#889195 First vendor Publication 2012-04-24
Vendor VU-CERT Last vendor Modification 2012-05-29
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:S/C:C/I:C/A:C)
Cvss Base Score 8.5 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 6.8 Authentication Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#889195

RuggedCom Rugged Operating System (ROS) contains hard-coded user account with predictable password

Original Release date: 24 Apr 2012 | Last revised: 29 May 2012

Overview

RuggedCom Rugged Operating System (ROS) contains a hard-coded user account with a predictable password.

Description

RuggedCom Rugged Operating System (ROS), used in RuggedCom network infrastructure devices, contains a hard-coded user account named "factory" that cannot be disabled. The password for this account is based on the device's MAC address and can be reverse engineered easily (CWE-261: Weak Cryptography for Passwords).

ROS also supports HTTP(S) and ssh services. In ROS 3.3.x, these services do not use the factory account. ROS does not appear to log successful or unsuccessful login attempts for the factory account.

More information is available in "Undocumented Backdoor Access to RuggedCom Devices" and RuggedCom's security bulletin.

Impact

An attacker with knowledge of an ROS device's MAC address may be able to gain complete administrative control of the device. The MAC address is displayed in the pre-authentication banner.

Solution

We are currently unaware of a practical solution to this problem.

According to RuggedCom's security bulletin, "Version 3.10.1 of the ROS® firmware with security related fixes will be released on Tuesday May 22, 2012 and can be obtained by emailing support@ruggedcom.com. Other ROS® firmware versions containing the same security fixes (3.9.3, 3.8.5, 3.7.9 & 3.11.0) will be released over the next few weeks on a staggered basis as development and testing is completed."

Workarounds

ROS 3.3.x allows users to disable the rsh service and set the number of allowed telnet connections to 0. ROS 3.2.x does not alllow the rsh or telnet services to be disabled.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
RuggedComAffected10 Feb 201201 May 2012
SiemensAffected-24 Apr 2012
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base8.5AV:N/AC:M/Au:S/C:C/I:C/A:C
Temporal7.3E:POC/RL:W/RC:C
Environmental1.8CDP:ND/TD:L/CR:ND/IR:ND/AR:ND

References

  • http://seclists.org/fulldisclosure/2012/Apr/277
  • http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-116-01.pdf
  • http://arstechnica.com/business/news/2012/04/backdoor-in-mission-critical-hardware-threatens-power-traffic-control-systems.ars
  • http://www.wired.com/threatlevel/2012/04/ruggedcom-backdoor/
  • http://www.ruggedcom.com/products/index.php
  • http://www.ruggedcom.com/support/software/index.php
  • http://cwe.mitre.org/data/definitions/261.html
  • http://www.ruggedcom.com/productbulletin/ros-security-page/
  • https://www.us-cert.gov/control_systems/pdf/ICSA-12-146-01.pdf

Credit

Thanks to Justin W. Clarke, an independent security researcher in San Francisco, California, for reporting this vulnerability.

This document was written by Michael Orlando and Art Manion.

Other Information

  • CVE IDs:CVE-2012-1803
  • Date Public:23 Apr 2012
  • Date First Published:24 Apr 2012
  • Date Last Updated:29 May 2012
  • Document Revision:51

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

This product is provided subject to the Notification as indicated here: http://www.us-cert.gov/legal.html#notify

Original Source

Url : http://www.kb.cert.org/vuls/id/889195

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-521 Weak Password Requirements
50 % CWE-310 Cryptographic Issues

CPE : Common Platform Enumeration

TypeDescriptionCount
Os 11

ExploitDB Exploits

id Description
2012-04-24 RuggedCom Devices Backdoor Access

OpenVAS Exploits

Date Description
2012-06-21 Name : Rugged Operating System Backdoor Unauthorized Access Vulnerability
File : nvt/gb_rugged_operating_system_53215.nasl

Snort® IPS/IDS

Date Description
2014-01-10 RuggedCom default backdoor login attempt
RuleID : 21938 - Revision : 6 - Type : PROTOCOL-TELNET

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2020-05-23 13:17:16
  • Multiple Updates