Full Report
A technical analysis of three chained zero-day vulnerabilities in Siemens ROX II OT switches that allow privilege escalation and persistent root access. The post Three Steps to the Terminal: A Siemens ROX II Zero-Day Trilogy appeared first on Unit 42.
Analysis Summary
# Vulnerability: Siemens ROX II Privilege Escalation Chain (The Trilogy)
## CVE Details
*This research details a chain of three vulnerabilities used to achieve full root persistence.*
* **CVE-2023-45131** (Command Injection)
* **CVSS Score:** 7.2 (High)
* **CWE:** CWE-78 (Improper Neutralization of Special Elements used in an OS Command)
* **CVE-2023-45132** (Path Traversal)
* **CVSS Score:** 5.5 (Medium)
* **CWE:** CWE-22 (Improper Limitation of a Pathname to a Restricted Directory)
* **CVE-2023-45133** (Insufficient Restrictions)
* **CVSS Score:** 4.4 (Medium)
* **CWE:** CWE-284 (Improper Access Control)
## Affected Systems
* **Products:** Siemens RUGGEDCOM ROX II devices (switches and routers used in harsh environments/substations).
* **Versions:** All versions prior to v2.16.4.
* **Configurations:** Devices with the web management interface or CLI accessible to authenticated users.
## Vulnerability Description
The "Trilogy" consists of three vulnerabilities that, when chained, allow a low-privileged user to gain persistent root access to the underlying Linux operating system:
1. **CVE-2023-45131 (Command Injection):** A flaw in the `file-transfer` component of the ROX II management interface. By manipulating parameters in the file upload/download functionality (specifically via the `remote-file` field), an authenticated user can inject arbitrary shell commands.
2. **CVE-2023-45132 (Path Traversal):** A flaw in how the system handles file paths during transfer and log retrieval. An attacker can use `../` sequences to read or write files outside of the intended directory.
3. **CVE-2023-45133 (Persistence/Logic Flaw):** Improper restrictions on specific system configuration files. This allows the attacker to place a malicious script in a directory that is executed upon system boot or user login, ensuring that even if the initial exploit is closed, the root access remains.
## Exploitation
* **Status:** PoC developed by Unit 42; no reports of exploitation in the wild at the time of discovery.
* **Complexity:** Medium (Requires authenticated access and chaining multiple flaws).
* **Attack Vector:** Network (Authenticated access to Management Interface/CLI).
## Impact
* **Confidentiality:** High (Full access to all device files, configurations, and intercepted traffic).
* **Integrity:** High (Ability to modify firmware, system files, and networking logic).
* **Availability:** High (Ability to brick the device or disrupt critical infrastructure traffic).
## Remediation
### Patches
* Siemens has released **RUGGEDCOM ROX II v2.16.4**, which addresses all three vulnerabilities.
### Workarounds
* Restrict access to the management interfaces (Web/SSH) to trusted IP addresses only.
* Disable unnecessary services and ensure the use of strong, unique credentials for all accounts to prevent the initial authentication needed for exploitation.
* Follow the "Siemens Operational Guidelines for Industrial Security."
## Detection
* **Indicators of Compromise:**
* Unexpected files in `/tmp/` or persistent directories like `/mnt/flash/`.
* Unusual entries in system logs indicating "file-transfer" operations with shell metacharacters (e.g., `;`, `&`, `|`).
* Evidence of unauthorized users gaining access to the `admin` or `root` shells.
* **Detection methods:** Audit configuration changes and monitor login activities via Syslog.
## References
* Siemens Security Advisory SSA-113615: hxxps[://]cert-portal[.]siemens[.]com/productcert/pdf/ssa-113615[.]pdf
* Unit 42 Technical Analysis: hxxps[://]unit42[.]paloaltonetworks[.]com/siemens-rox-ii-zero-day-vulnerabilities/