Friday, April 27, 2012

Full Disclosure: RuggedCom - Backdoor Accounts in my SCADA network? You don't say...

Author: jc
Organization: JC CREW
Date: April 23, 2012
CVE: CVE-2012-1803

Background:
RuggedCom is one of a handful of networking vendors who capitalize on
the market for "Industrial Strength" and "Hardened" networking
equipment. You'll find their gear installed in traffic control
systems, railroad communications systems, power plants, electrical
substations, and even US military sites. Beyond simple L2 and L3
networking these devices are also used for serial-to-ip converstion in
SCADA systems and they even support modbus and dnp3. RuggedCom
published a handy guide to some of their larger customers at
www.ruggedcom.com/about/customers/. My favorite quote is from a
contractor who installed RuggedCom equipment at a US Air Force base:
"Reliability was not an option." How unfortunately apropos.

Problem:
An undocumented backdoor account exists within all released versions
of RuggedCom's Rugged Operating System (ROS®). The username for the
account, which cannot be disabled, is "factory" and its password is
dynamically generated based on the device's MAC address. Multiple
attempts have been made in the past 12 months to have this backdoor
removed and customers notified...

http://seclists.org/fulldisclosure/2012/Apr/277