Full Report
The RUGGEDCOM RCDP protocol is not properly configured after commissioning of RUGGEDCOM ROS based devices and some SCALANCE X switch models and could allow unauthenticated remote users to perform administrative operations. An attacker must be in the same adjacent network and the RCDP daemon must be enabled in order to exploit the vulnerability. Siemens has released new versions for the affected products and recommends to update to the latest versions.
Analysis Summary
# Vulnerability: Unauthenticated Administrative Operations via RCDP Default Configuration
## CVE Details
- CVE ID: CVE-2017-12736
- CVSS Score: 8.8 (High)
- CWE: CWE-1188: Initialization of a Resource with an Insecure Default
## Affected Systems
- Products: RUGGEDCOM ROS V4.X family devices (including RUGGEDCOM i800), and certain SCALANCE X switch models (e.g., SCALANCE XR-500/XM-400, XB-200/XC-200/XP-200/XR300-WG series variants mentioned in advisories, though the summary focuses on the general affected families).
- Versions: Specific versions affected, including RUGGEDCOM ROS V4.X up to but not including V6.1.1 (for RUGGEDCOM i800 specifically, versions up to V6.1.0).
- Configurations: The RCDP daemon must be enabled on the device.
## Vulnerability Description
The RUGGEDCOM Discovery Protocol (RCDP) is not correctly configured or disabled after the initial commissioning phase on affected devices. This persistent configuration allows an unauthenticated remote attacker on the adjacent network segment to send crafted RCDP traffic that the daemon processes insecurely, potentially allowing the attacker to perform unauthorized administrative actions on the device.
## Exploitation
- Status: PoC available (Inferred from high CVSS score and nature of configuration flaw, confirmed by vendor advisory structure, though explicit PoC mention absent in summary text.) *Note: The advisory confirms the possibility of unauthorized actions.*
- Complexity: Low (Due to required Adjacent Network access and default daemon state).
- Attack Vector: Adjacent (AV:A)
## Impact
- Confidentiality: High (C:H)
- Integrity: High (I:H - Unauthorized administrative operations)
- Availability: High (A:H - Potential for disruption via administrative actions)
## Remediation
### Patches
- **RUGGEDCOM i800/ROS:** Update to Version **V6.1.1 or later**.
- General recommendation is to update to the latest versions provided by Siemens.
### Workarounds
- **Manually deactivate RCDP:** Customers should manually deactivate the RCDP protocol following the instructions provided in the respective product user guides. This measure completely mitigates the vulnerability for CVE-2017-12736.
- **Network Segmentation:** Apply general security recommendations by protecting network access and ensuring devices operate within a protected IT environment as per Siemens operational guidelines for Industrial Security.
## Detection
- **Indicators of Compromise:** Monitoring network traffic for unexpected or malformed RCDP packets directed towards affected devices. Successful exploitation would result in configuration changes initiated by an unauthenticated source.
- **Detection Methods and Tools:** Network monitoring tools capable of deep packet inspection for the RCDP protocol, specifically looking for administrative commands transmitted over RCDP by unauthorized source IPs.
## References
- Siemens Security Advisory: SSA-856721
- Siemens Security Portal General Guidelines: hXXps://www.siemens.com/cert/operational-guidelines-industrial-security
- Siemens Product Support Link (for updates): hXXps://support.industry.siemens.com/cs/ww/en/view/109755475/