Rewterz Threat Advisory – Siemens RUGGEDCOM ROX II Multiple Vulnerabilities

Severity

High

Analysis Summary

CVE-2018-5379

The shipped version of the Quagga BGP daemon (bgpd) can double free memory when processing certain forms of UPDATE messages, containing cluster-list and/or unknown attributes. A successful attack could cause a denial of service or allow an attacker to execute arbitrary code.

CVE-2018-5380

The shipped version of the Quagga BGP daemon (bgpd) can overrun internal BGP code-to-string conversion tables used for debug by 1 pointer value, based on input.

The vulnerability could be exploited by an attacker spoofing a malicious BGP code-point. Successful exploitation requires the attacker to be in the position of a configured, trusted BGP peer.

CVE-2018-5381

The shipped version of the Quagga BGP daemon (bgpd) has a bug in its parsing of “Capabilities” in BGP OPEN messages. The parser can enter an infinite loop on invalid capabilities, causing a denial of service.

The vulnerability could be exploited by an attacker spoofing a malicious BGP OPEN message. Successful exploitation requires the attacker to be in the position of a configured, trusted BGP peer.

Impact

• Denial of service
• Execution of arbitrary code

Affected Vendors

Siemens

Affected Products

RUGGEDCOM ROX II

Remediation

Vendor has provided firmware update v2.13.0 to fix these vulnerabilities.

The firmware updates for RUGGEDCOM ROX-based devices can be obtained by contacting the RUGGEDCOM support team.

https://support.industry.siemens.com/my/WW/en/requests#createRequest

Siemens has identified the following specific workarounds and mitigation users can apply to reduce the risk:

• Disable the BGP routing service if not in use in your setup.
• Configure BGP passwords to authenticate BGP neighbors.