Two flaws have been detected in Siemens RUGGEDCOM NMS line of network management tools that could open the equipment up to remote exploitation.
According to an advisory (ICSA-17-059-01) from the Department of Homeland Security's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), all versions prior to v2.1.0 (Windows and Linux) of the company's RUGGEDCOM NMS suffer from both a cross-site scripting (XSS) vulnerability and a cross-site request forgery (CSRF) vulnerability.
The CSRF bug was ranked with a CVSS score of 8.8 owing to the possibility of a remote attacker executing administrative operations, "provided the targeted user has an active session and is induced to trigger a malicious request."
To patch the flaw, Siemens advised users to update RUGGEDCOM software and firmware immediately.
Further, to minimize the risk of exploitation of these flaws, NCCIC/ICS-CERT recommended users take defensive measures. Specifically, users should:
This alert is the second this year regarding Siemens products. On Feb. 14, ICS-CERT issued an advisory warning that devices using Siemens' SIMATIC Logon software were vulnerable to an authentication bypass. Siemens issued a fix.