A CSRF bug received a CVSS score of 8.8 owing to the possibility of a remote attacker executing administrative operations.
A CSRF bug received a CVSS score of 8.8 owing to the possibility of a remote attacker executing administrative operations.

Two flaws have been detected in Siemens RUGGEDCOM NMS line of network management tools that could open the equipment up to remote exploitation.

According to an advisory (ICSA-17-059-01) from the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), all versions prior to v2.1.0 (Windows and Linux) of the company's RUGGEDCOM NMS suffer from both a cross-site scripting (XSS) vulnerability and a cross-site request forgery (CSRF) vulnerability.

The CSRF bug was ranked with a CVSS score of 8.8 owing to the possibility of a remote attacker executing administrative operations, "provided the targeted user has an active session and is induced to trigger a malicious request."

To patch the flaw, Siemens advised users to update RUGGEDCOM software and firmware immediately.

Further, to minimize the risk of exploitation of these flaws, NCCIC/ICS-CERT recommended users take defensive measures. Specifically, users should:

  • Minimize network exposure for all control system devices and/or systems, and ensure that they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls, and isolate them from the business network.
  • When remote access is required, use secure methods, such as Virtual Private Networks (VPNs), recognizing that VPNs may have vulnerabilities and should be updated to the most current version available. Also recognize that VPN is only as secure as the connected devices.
  • ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

This alert is the second this year regarding Siemens products. On Feb. 14, ICS-CERT issued an advisory warning that devices using Siemens' SIMATIC Logon software were vulnerable to an authentication bypass. Siemens issued a fix.