Ruggedcom ROS Hard-Coded RSA SSL Private Key

CVEs (1)

Remediations

• ROS Update v3.12 has been produced to mitigate these issues and can be obtained from the RuggedCom Customer Support Team. Full information can be found at this link: (http://www.ruggedcom.com/productbulletin/ros-security-page/).
• ROX device customers are strongly encouraged to change their SSL and SSH keys. Application notes exist that explain how to change the SSL and SSH keys. Please consult App Note AN17 for ROX1.x versions of the firmware and App Note AN16 for ROX 2.x. These application notes can be obtained from RuggedCom’s Customer Support Team.
• For RuggedMax SSH service, the customer has the capability to generate new keys. Each device (subscriber or base station) can be triggered to generate a new SSH key by deleting the current key. Customers are strongly encouraged to generate new keys. A procedure on how to generate a new SSH key can be obtained from RuggedCom Customer Support Team.
• For the HTTPS access, a temporary solution exists with the current version of firmware to disable HTTPS access. For details on this procedure please contact the RuggedCom Customer Support Team.
• Siemens recommendations the following mitigation strategies when deploying RuggedCom devices: Do not connect ROS, RuggedMax devices directly to an untrusted network such as the Internet. Establish a VPN solution to connect to an untrusted network such as the Internet. Check for any signs of unauthorized access to a device (e.g., by reviewing syslogs). Use industry best practices for security such as those defined by NERC-CIP.

Affected Vendors

Affected Products (4)